Podcast 154: European payments enter execution mode: PSD3, Wero, DORA, with Andréa Toucinho

For most of the past decade, European payments were a story of accumulation. New regulations are layered on top of older ones. New initiatives announced alongside unfinished ones. New acronyms are entering the vocabulary faster than operators can integrate them.

This episode of the Fintech Garden Podcast marks the moment that the pattern starts to break. In conversation with Andréa Toucinho of Partelya Consulting, the focus shifts from what is being proposed to what is being deployed.

The shift in vocabulary is small. The shift in posture is significant.

Three Forces Are Reshaping European Payments Simultaneously

Three evolutions are running in parallel across the European market.

The first is technological — AI, stablecoins, tokenization, and modernized rails. The second is regulatory — PSD3, GDPR, AML6, MiCA, eIDAS2 — increasingly being designed as one connected system rather than as separate compliance projects. The third is sovereignty — Wero, EuroPA, the digital euro — moving from political statement to operational deployment.

Each of these is consequential on its own. The strategic question is how they converge.

The answer is starting to take shape. EPI and EuroPA have announced a collaboration. The digital euro project from the ECB is advancing. National regulators are aligning resilience and fraud frameworks across borders.

Europe is no longer in the design phase. It is in execution.

Regulation Is Becoming Operational Strategy

The dominant frame for European payments regulation used to be compliance — a cost to bear, a checkbox to clear.

That frame is shifting.

PSD3, AML6, and DORA are now being read by serious operators as strategic inputs. They define where competition is allowed, where it is constrained, and where infrastructure must be shared. The companies that understand this early adjust their product strategy upstream. Those that treat each regulation as an isolated cost react late and pay more.

A specific shift Andréa highlights: collaboration is now structural. In France, the Observatoire de la Sécurité des Moyens de Paiement is integrating not just banks, fintechs, and retailers, but also telcos and internet platforms — because that is where fraud now lives. The regulatory architecture is being rebuilt around the actual ecosystem, not just the financial institutions inside it.

Compliance is becoming a multi-stakeholder design problem.

Tokenization Is Becoming the Default

Tokenization is often discussed as a Visa and Mastercard project. The conversation widens the lens.

Local schemes — Cartes Bancaires in France, equivalent players in other markets — are pursuing tokenization with the same goals: cleaner e-commerce experiences and reduced fraud exposure.

Apple Pay is the most visible implementation. Every transaction passes through a token rather than the actual card credentials. Users may not realize it, but they have already been operating in a tokenized world for years.

What tokenization adds beyond fraud reduction is control. Users can see which merchants hold their tokens. They can revoke individual merchant access without canceling the underlying card.

That is a meaningful product surface that is still underexploited by issuers.

Wallets Are the New European Battleground

Wallets have become the layer where European payment sovereignty is most visible to end users.

Two strategies are running in parallel.

Wero, from EPI, is building a new pan-European brand on top of instant payment rails. It launched first in France, Germany, and Benelux, and continues to expand. The bet is that a single coherent brand will produce the user adoption Europe needs.

EuroPA is taking the opposite approach. Rather than building a new brand, it federates existing successful local wallets — Bizum in Spain, MB WAY in Portugal, Bancomat Pay in Italy — and connects them at the interoperability layer. The bet is that local trust transfers more reliably than new brand recognition.

Both are reasonable. The recent announcement of collaboration between EPI and EuroPA suggests Europe will get both.

Layered on top is the digital euro from the ECB — a public-sector initiative with a different mandate, but a structurally similar role.

Instant Payments Are No Longer Optional

The European Commission has made its intent explicit: instant payments will be the new normal.

The regulation accelerates a transition that was already underway, but unevenly. France’s deep card tradition slowed adoption. Spain and Italy moved faster. Smaller markets followed national leaders.

Wero’s rollout reinforces the trend because the wallet runs on instant payment rails. Adoption of one drives adoption of the other.

The security architecture is catching up at the same pace. Verification of payee is being standardized. France has centralized high-risk IBANs. Cross-border fraud signals are starting to move with the transactions themselves.

Instantness no longer requires a tradeoff on security.

DORA Is a Resilience Mandate, Not a Documentation Exercise

The April 2024 Iberian blackout reframed the resilience conversation.

When grid power fails across two countries, what happens to electronic payments? The honest answer in most markets was: not enough.

DORA had already arrived. What changed was the urgency.

Portugal’s Fórum para os Sistemas de Pagamentos now treats resilience as a strategic working stream. France is doing the same through Banque de France and Cartes Bancaires. Both programs converge on the same conclusion.

Resilience is not a single fallback. It is a diversity of operational options.

Offline card transactions with later reconciliation. Maintained access to cash. Redundancy across rails. The digital euro is being designed with offline capability for the same reason.

For product teams, the implication is direct. Resilience is now a feature, not a footnote in the risk register.

Fraud Has Moved From Systems to People

Fraudsters used to attack systems. Now they attack users.

France: fake bank employees calling customers, claiming the account has been hacked, instructing the user to transfer funds to a “safe” account.

Portugal: WhatsApp impersonation — “Dear mother, I lost my phone, please send €100 to this account.” Fake employment offers via SMS promising €10,000.

The same techniques exist everywhere. The local execution differs by culture, by communication channel, by language.

AI is accelerating all of it. Voice cloning. Personalized messages built from public data. Convincing fake interfaces. Pattern detection that worked five years ago will not work in three.

The response is being built in two layers.

National campaigns — French Banking Federation, Banco de Portugal — focused on user education. Multi-stakeholder frameworks integrating banks, fintechs, telcos, and internet platforms into shared fraud response.

Security is becoming a public-private system, not a bank-by-bank function.

PSD3 Is Evolution, Not Revolution

PSD3 should not be read as a reset.

It is the refinement of PSD2, applied where implementation revealed gaps. Three priorities stand out.

Security reinforcement, building on the lessons of SCA. Open banking harmonization, addressing the fragmentation that PSD2 unintentionally produced. API standardization, closing the gap between countries with centralized infrastructure and those with bank-by-bank approaches.

The longer horizon already being prepared is open finance. Europe is not waiting for PSD3 to be fully operational before defining what comes next. Some markets are eager. Others — France in particular, given its strong security culture — are more cautious.

Both reactions are legitimate. Open finance done badly is worse than open banking done well.

Diversity Is Europe’s Underrated Advantage

Andréa closes on a point that runs counter to most international payments narratives.

Fragmentation is often framed as Europe’s weakness. The conversation reframes it as a structural strength.

Different countries weigh cash, cards, instant payments, wallets, and direct debit differently — because their consumers, regulators, and infrastructures evolved differently. What looks like inefficiency from the outside is, in practice, a hedge against single points of failure.

The policy direction is to preserve that choice, not erase it.

For founders, this means designing for plurality. For incumbents, it means defending the option that fits your market, not chasing the option that wins headlines. For regulators, it means harmonizing the interfaces while protecting the diversity behind them.

Europe took thirty years to build the euro. The payment infrastructure on top of it has now reached its own execution phase.

The next decade will not be about whether Europe can build sovereign payments. It will be about which combinations of rails, wallets, and frameworks win in which markets.