PSD3 Cyprus: The 2027 Rebuild Every Payment Firm Must Staff For | Emerald Zebra

PSD3 and the Payment Services Regulation: The 2027 to 2028 Harmonisation Wave

PSD3 is not PSD2 with tweaks. It is a structural rebuild of how payments work across the European Union. The European Parliament and the Council reached a provisional political agreement in November 2025. Final texts are expected in the first half of 2026. Applicability runs from late 2027 to early 2028. For the first time, the Payment Services Regulation is a directly applicable regulation, not just a directive: no national opt-outs, no fragmented interpretation, no jurisdictional arbitrage. One rulebook, 27 countries, 450 million-plus people. Every payment service provider in the EEA will need to replatform, rebuild compliance and restructure products by 2027 to 2028. That is an 18-month execution window starting now, and it requires people.

 

The Shift from PSD2 to PSD3 and Why It Matters

PSD2 was a directive, implemented differently across member states, producing fragmentation. PSD3 arrives as a regulation, directly applicable and uniformly enforced.

What is actually changing:

  1. Open banking moves from access rights to performance and transparency. Banks must publish API uptime data, maintain performance standards, and may remove screen-scraping fallbacks only if dedicated interfaces meet defined thresholds. This is institutional-grade SLA management.
  2. Directly applicable regulation replaces fragmented directives, with no national exemptions.
  3. Authentication and fraud prevention tighten. Strong customer authentication requirements are extended and clarified, and the bigger shift is toward risk-based authentication and fraud detection that firms must justify to regulators.
  4. Cross-border payments harmonise. SEPA instant credit transfers are standard, with settlement in central bank money within seconds.
  5. Third-party risk management becomes explicit. Firms are responsible for the compliance of outsourced payment processing.

 

These are architectural changes, not incremental ones. Firms that patched PSD2 compliance will find PSD3 forces a rebuild.

 

The Regulatory Timeline and Execution

  • H1 2026: final texts published; the Central Bank of Cyprus issues implementation guidance.
  • H2 2026: impact assessments and replatforming planning.
  • Q4 2026 to Q1 2027: execution ramps; hiring for programme management, engineering and compliance accelerates.
  • 2027 to 2028: go-live preparation, testing, regulatory certification.
  • Late 2027 to early 2028: applicability begins, with no transition period equivalent to MiCA’s grandfathering.

 

The CBC has already strengthened its supervisory framework for electronic money institutions and payment service providers through 2025 directives covering prudential requirements and board suitability. That is a signal: PSD3 compliance will be a board-level governance issue, not a checkbox.

 

What Payment Firms Actually Have to Rebuild

  1. API architecture and performance: uptime publication, latency and success-rate thresholds, monitoring and disaster recovery as explicit compliance requirements. Hiring: API architects, DevOps and infrastructure specialists with payment-grade reliability experience.
  2. Authentication and fraud detection: firms must demonstrate fraud models work, false positives are low and legitimate transactions are not blocked. Hiring: data science, behavioural analytics, real-time decisioning capability.
  3. Third-party oversight: documented contracts, due diligence, SLA monitoring, regular audits of processors and cloud providers. Hiring: dedicated third-party management resources.
  4. Consumer protection and data handling: consent management, data minimisation and privacy across open banking flows. Hiring and product implications for consent redesign.
  5. Cross-border SEPA instant payments: settlement architecture changes and possible TIPS integration.

 

Project scope: most banks and major PSPs are estimating EUR 5 to 20 million in replatforming costs on 12 to 18 month timelines. (Katy: sanity check this range against current advisory estimates before publication.)

 

Open Banking as a Market Differentiator

Under PSD2, open banking was a compliance feature. PSD3 reframes it as market infrastructure. Banks with reliable, fast, transparent APIs become preferred partners for fintechs and other PSPs; fintechs building on reliable infrastructure lower development cost and accelerate time to market. Permission dashboards that let customers manage consents have already strengthened trust and adoption. Product managers and engineers who understand open banking as a core architectural pattern, rather than a compliance feature, are premium hires.

 

The Hiring Boom, Function by Function

Engineering and infrastructure: Head of Payments Architecture (EUR 120k to 180k); Senior Payments Engineer (EUR 85k to 130k); DevOps or Infrastructure Engineer (EUR 75k to 110k); Data Engineer or ML Specialist (EUR 80k to 125k).

Product: Head of Payments Product (EUR 100k to 150k); Senior Product Manager, Open Banking (EUR 85k to 120k).

Compliance and regulatory: Head of Regulatory Affairs, Payments (EUR 100k to 160k); Senior Compliance Officer, Payments (EUR 80k to 120k); Third-Party Risk Manager (EUR 70k to 105k).

Operations: Programme Manager, PSD3 Implementation (EUR 75k to 110k); Payments Operations Manager (EUR 65k to 95k).

The hiring pattern: 2 to 3 leadership hires in Q4 2026 (architecture, product, regulatory affairs), 5 to 8 engineering and product hires in Q1 2027, additional operational and compliance staff through 2027 to 2028.

 

Why Cyprus Banks Are Prioritising PSD3 Hiring Now

Four reasons: legacy replatforming takes 18 to 24 months so assessment must start now; the CBC will expect a PSD3 roadmap by mid-2026, which requires board-level governance and a Head of Regulatory Affairs in post; testing windows land in 2027, meaning builds complete in late 2026; and payment infrastructure talent with PSD3 exposure is scarce, so firms that hire first choose first.

 

Dual Regulatory Tracks

PSD3 is running in parallel with MiCA (in effect), the digital euro (legislation by end-2026, pilot 2027, launch 2029), DORA (in effect since January 2025) and the EU AI Act (full high-risk compliance August 2026). A Head of Regulatory Affairs hired in Q4 2026 is effectively managing four simultaneous regulatory transformations. That overlap creates a talent premium: professionals who understand the intersections are scarce, command higher compensation and progress faster.

 

Strategic Positioning for 2027 to 2028

The firms that win post-PSD3 are the ones that use it as a reset moment: rebuilding payments infrastructure from first principles, investing in open banking as competitive advantage, building AI and ML capability for fraud and risk, and organising for regulatory complexity with clear governance. Strategic firms hire senior leaders now, in 2026, to shape a five-year payments platform. Reactive firms will hire operational staff in 2027 just to meet deadlines.

 

Key Citations and Sources

  • PSD3 provisional agreement and timeline (European Parliament and Council, November 2025)
  • Instant Payments Regulation timeline (from January 2025)
  • CBC 2025 directives on EMIs and PSPs
  • PSD2 to PSD3 open banking evolution (Chambers and Partners fintech guides)
  • SEPA instant credit transfer standards

Internal Links

Follow us on

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Related News