Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Directive 2015/2366/EU - Payment Services Directive (PSD2)RecitalsTitle I Subject matter, scope and definitions (arts. 1-4)Article 1 Subject matterArticle 2 ScopeArticle 3 ExclusionsArticle 4 DefinitionsTitle II Payment Service Providers (arts. 5-37)Chapter 1 Payment institutions (arts. 5-34)Section 1 General rules (arts. 5-18)Article 5 Applications for authorisationArticle 6 Control of the shareholdingArticle 7 Initial capitalArticle 8 Own fundsArticle 9 Calculation of own fundsArticle 10 Safeguarding requirementsArticle 11 Granting of authorisationArticle 12 Communication of the decisionArticle 13 Withdrawal of authorisationArticle 14 Registration in the home Member StateArticle 15 EBA registerArticle 16 Maintenance of authorisationArticle 17 Accounting and statutory auditArticle 18 ActivitiesSection 2 Other requirements (arts. 19-21)Article 19 Use of agents, branches or entities to which activities are outsourcedArticle 20 LiabilityArticle 21 Record-keepingSection 3 Competent authorities and supervision (arts. 22-31)Article 22 Designation of competent authoritiesArticle 23 SupervisionArticle 24 Professional secrecyArticle 25 Right to apply to the courtsArticle 26 Exchange of informationArticle 27 Settlement of disagreements between competent authorities of different Member StatesArticle 28 Application to exercise the right of establishment and freedom to provide servicesArticle 29 Supervision of payment institutions exercising the right of establishment and freedom to provide servicesArticle 30 Measures in case of non-compliance, including precautionary measuresArticle 31 Reasons and communicationSection 4 Exemption (arts. 32-34)Article 32 ConditionsArticle 33 Account information service providersArticle 34 Notification and informationChapter 2 Common provisions (arts. 35-37)Article 35 Access to payment systemsArticle 35a Conditions for requesting participation in designated payment systemsArticle 36 Access to accounts maintained with a credit institutionArticle 37 Prohibition of persons other than payment service providers from providing payment services and duty of notificationTitle III Transparency of conditions and information requirements for payment services (arts. 38-60)Chapter 1 General rules (arts. 38-42)Article 38 ScopeArticle 39 Other provisions in Union lawArticle 40 Charges for informationArticle 41 Burden of proof on information requirementsArticle 42 Derogation from information requirements for low-value payment instruments and electronic moneyChapter 2 Single payment transactions (arts. 43-49)Article 43 ScopeArticle 44 Prior general informationArticle 45 Information and conditionsArticle 46 Information for the payer and payee after the initiation of a payment orderArticle 47 Information for payer's account servicing payment service provider in the event of a payment initiation serviceArticle 48 Information for the payer after receipt of the payment orderArticle 49 Information for the payee after executionChapter 3 Framework contracts (arts. 50-58)Article 50 ScopeArticle 51 Prior general informationArticle 52 Information and conditionsArticle 53 Accessibility of information and conditions of the framework contractArticle 54 Changes in conditions of the framework contractArticle 55 TerminationArticle 56 Information before execution of individual payment transactionsArticle 57 Information for the payer on individual payment transactionsArticle 58 Information for the payee on individual payment transactionsChapter 4 Common provisions (arts. 59-60)Article 59 Currency and currency conversionArticle 60 Information on additional charges or reductionsTitle IV Rights and obligations in relation to the provision and use of payment services (arts. 61-103)Chapter 1 Common provisions (arts. 61-63)Article 61 ScopeArticle 62 Charges applicableArticle 63 Derogation for low value payment instruments and electronic moneyChapter 2 Authorisation of payment transactions (arts. 64-77)Article 64 Consent and withdrawal of consentArticle 65 Confirmation on the availability of fundsArticle 66 Rules on access to payment account in the case of payment initiation servicesArticle 67 Rules on access to and use of payment account information in the case of account information servicesArticle 68 Limits of the use of the payment instrument and of the access to payment accounts by payment service providersArticle 69 Obligations of the payment service user in relation to payment instruments and personalised security credentialsArticle 70 Obligations of the payment service provider in relation to payment instrumentsArticle 71 Notification and rectification of unauthorised or incorrectly executed payment transactionsArticle 72 Evidence on authentication and execution of payment transactionsArticle 73 Payment service provider's liability for unauthorised payment transactionsArticle 74 Payer's liability for unauthorised payment transactionsArticle 75 Payment transactions where the transaction amount is not known in advanceArticle 76 Refunds for payment transactions initiated by or through a payeeArticle 77 Requests for refunds for payment transactions initiated by or through a payeeChapter 3 Execution of payment transactions (arts. 78-93)Section 1 Payment orders and amounts transferred (arts. 78-81)Article 78 Receipt of payment ordersArticle 79 Refusal of payment ordersArticle 80 Irrevocability of a payment orderArticle 81 Amounts transferred and amounts receivedSection 2 Execution time and value date (arts. 82-87)Article 82 ScopeArticle 83 Payment transactions to a payment accountArticle 84 Absence of payee's payment account with the payment service providerArticle 85 Cash placed on a payment accountArticle 86 National payment transactionsArticle 87 Value date and availability of fundsSection 3 Liability (arts. 88-93)Article 88 Incorrect unique identifiersArticle 89 Payment service providers' liability for non-execution, defective or late execution of payment transactionsArticle 90 Liability in the case of payment initiation services for non-execution, defective or late execution of payment transactionsArticle 91 Additional financial compensationArticle 92 Right of recourseArticle 93 Abnormal and unforeseeable circumstancesChapter 4 Data protection (art. 94)Article 94 Data protectionChapter 5 Operational and security risks and authentication (arts. 95-98)Article 95 Management of operational and security risksArticle 96 Incident reportingArticle 97 AuthenticationArticle 98 Regulatory technical standards on authentication and communicationChapter 6 ADR procedures for the settlement of disputes (arts. 99-103)Section 1 Complaint procedures (arts. 99-100)Article 99 ComplaintsArticle 100 Competent authoritiesSection 2 ADR procedures and penalties (arts. 101-103)Article 101 Dispute resolutionArticle 102 ADR proceduresArticle 103 PenaltiesTitle V Delegates acts and regulatory technical standards (arts. 104-106)Article 104 Delegated actsArticle 105 Exercise of the delegationArticle 106 Obligation to inform consumers of their rightsTitle VI Final provisions (arts. 107-116)Article 107 Full harmonisationArticle 108 Review clauseArticle 109 Transitional provisionArticle 110 Amendments to Directive 2002/65/ECArticle 111 Amendments to Directive 2009/110/ECArticle 112 Amendments to Regulation (EU) No 1093/2010Article 113 Amendment to Directive 2013/36/EUArticle 114 RepealArticle 115 TranspositionArticle 116 Entry into forceArticle 117 AddressesAnnex I Payment servicesAnnex II Correlation tableDone at
Page Overview
Related
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
2026-05-21 vs. 2026-05-21
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 17th June 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 95 Management of operational and security risks

Member States must ensure payment service providers establish a framework of mitigation measures and control mechanisms to manage operational and security risks for the payment services they provide, including effective incident management procedures for detection and classification of major operational and security incidents. The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to: (a) payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive; (b) account information service providers referred to in Article 33(1); (c) payment institutions exempted pursuant to Article 32(1); and (d) electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC. Member States shall ensure providers supply the competent authority, annually or at shorter intervals as determined, an updated and comprehensive assessment of operational and security risks and the adequacy of mitigation measures and controls.

By 13 July 2017, the EBA, in close cooperation with the ECB and after consulting relevant stakeholders, is to issue guidelines under Article 16 of Regulation (EU) No 1093/2010 on establishment, implementation and monitoring of security measures, including certification processes; the EBA must review those guidelines regularly and at least every two years. Taking account of experience, the EBA shall, where requested by the Commission, develop draft regulatory technical standards on criteria and conditions for establishment and monitoring of security measures, with power delegated to the Commission to adopt those RTS under Articles 10 to 14 of Regulation (EU) No 1093/2010. The EBA shall promote cooperation and information sharing on operational and security risks among competent authorities and between competent authorities and the ECB and, where relevant, the European Union Agency for Network and Information Security.

PreviousNext
Version status: Amended | Document consolidation status: Updated to reflect all known changes
Version date: 16 January 2023 - onwards
Version 3 of 3

Article 95 Management of operational and security risks

DRAFT To be repealed Article 48 Repeal of the Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC (COM(2023) 366 final / 2023/0209 (COD)) (PSD3) (updated 17 April 2026 with 'I' ITEM NOTE and Note)
View:
Current text Draft text as it may be read Compare current vs draft text Whole document current text vs draft text

1. Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to:

(a) payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

(b) account information service providers referred to in Article 33(1) of this Directive;

(c) payment institutions exempted pursuant to Article 32(1) of this Directive; and

(d) electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.

PreviousNext