European fintech has spent the last two years living through a regulatory rebuild. Three acronyms now define what you can ship, where you can ship it, and how much capital you need to keep on hand. If you're founding or running an EU-facing fintech, you should be able to draw the map.
The three live regulations that matter most:
- PSD3 + PSR — the next generation of the EU's payment-services directive, with a new Payment Services Regulation directly bound on member states.
- MiCA — Markets in Crypto-Assets — the EU's first comprehensive crypto rulebook, in full force since December 2024.
- DORA — Digital Operational Resilience Act — applicable since January 2025, mandates serious operational risk management for everyone in the financial sector.
Each of them changes something fundamental. Let's take them in turn.
PSD3 — the rewiring of EU payments
PSD2 (2018) opened up bank account access via APIs and created the licensed PISP/AISP categories. Open banking, more or less, exists because of it. PSD3 — and its directly-applicable sibling regulation, the PSR — is the cleanup pass. Adopted in late 2024, member states have until October 2026 to transpose. The substance:
Open banking gets a SLA
The single biggest complaint from PSD2-era PISP/AISP startups was that bank APIs were unreliable, undocumented, or rate-limited into uselessness. PSD3 introduces mandatory uptime, latency, and parity standards for bank-provided account-access APIs, with enforcement through the EBA (European Banking Authority). If a bank's API is worse than its own mobile app, that's a finding.
Strong Customer Authentication, refined
SCA isn't going away — but PSD3 carves out clearer exemptions for low-risk recurring payments, B2B card payments, and merchant-initiated transactions. Net effect: less 3DS friction on the right transactions, no relaxation on the wrong ones.
The PI / EMI merger
Payment Institutions and E-Money Institutions used to be separate licences with different capital requirements. PSD3 merges them into a single "Payment Institution" framework with three sub-licences for what you actually do. If you currently hold an EMI licence in NL, IE, or LT, expect a smooth conversion. If you're applying for a new licence in 2026, you'll be applying under the merged regime.
PSD3 doesn't apply to you directly — the UK has its own Payment Services Regulations 2017 + FCA framework. But: passporting is gone post-Brexit. EU customers need an EU-licensed entity. Most UK fintechs of any scale operate a separate Irish, Dutch, or Lithuanian sub for EU business, and PSD3 affects that sub.
MiCA — crypto, regulated
Markets in Crypto-Assets was the EU's response to "the wild west needs walls." Phased in through 2024, fully applicable from 30 December 2024. If you issue, trade, custody, or otherwise commercially handle crypto-assets in the EU, MiCA applies.
It splits crypto-assets into three buckets:
| Category | What it covers | Regulatory weight |
|---|---|---|
| Asset-Referenced Tokens (ARTs) | Stablecoins backed by a basket of currencies, commodities, or other crypto | Heavy — separate authorisation, reserve rules, redemption rights |
| E-Money Tokens (EMTs) | Stablecoins pegged 1:1 to a single fiat currency (e.g. USDC, EURC) | Issuer needs to be an EMI or credit institution |
| Other crypto-assets | Everything else — utility tokens, native L1 coins, NFTs (sometimes) | White-paper publication, marketing rules, no authorisation needed to issue |
If you operate a Crypto-Asset Service Provider (CASP) — exchange, broker, custodian, advisor — you need a CASP authorisation in one EU member state. The good news: once authorised, you can passport across the EU. The less-good news: the bar is substantial. Capital requirements, governance, custody rules, conflict-of-interest management.
Most existing crypto businesses operating in the EU were given a transitional period through mid-2026 to obtain CASP authorisation. That window is closing. If you're still on a national registration (e.g. the old Dutch DNB crypto register), now is the time to file.
DORA — operational resilience as law
DORA — Digital Operational Resilience Act — became applicable on 17 January 2025. It applies to almost every regulated financial entity in the EU, which now formally includes CASPs under MiCA, payment institutions, e-money institutions, banks, insurers, investment firms, and crypto-asset service providers.
Five pillars, all of which need to be reflected in your internal documentation, controls, and contracts:
- ICT risk management — board-level ownership, documented policies, real risk register.
- Incident reporting — major ICT-related incidents reported to your national competent authority within strict timelines (initial notification within 4 hours, intermediate within 72 hours, final within 1 month).
- Operational resilience testing — annual, with full Threat-Led Penetration Testing every 3 years for "significant" entities.
- Third-party ICT risk — your contracts with cloud providers, SaaS vendors, KYC partners now need specific DORA-compliant clauses. AWS, GCP, Stripe et al have published standard DORA addenda.
- Information sharing — voluntary participation in threat-intelligence sharing networks.
The practical implication for a 20-person fintech startup: about 2–3 months of one person's time to get your DORA documentation, third-party contract addenda, and incident-response playbook in order. We've helped six clients through it; the painful part is always the third-party contract refresh.
DORA doesn't just bind regulated financial entities — it also reaches critical ICT third-party service providers serving them. If you're a B2B fintech-SaaS startup selling into banks or insurers, your customers' DORA obligations flow downhill to you. Expect contract amendments. Charge accordingly.
The licensing map — where to actually base your fintech
Once a fintech is large enough to need an EU licence, the choice of regulator becomes load-bearing. Quick comparison of the three most common Dutch/Lithuanian/Irish setups for a payment institution or EMI:
| Jurisdiction | Regulator | Typical authorisation time | Reputation |
|---|---|---|---|
| Netherlands | DNB | 9–18 months | Thorough; trusted; slow |
| Ireland | Central Bank of Ireland | 12–24 months | Thorough; trusted; very slow |
| Lithuania | Bank of Lithuania | 6–12 months | Fast; pragmatic; smaller market |
The Netherlands has become the de-facto choice for serious fintechs targeting Western European customers — Adyen, Bunq, and Mollie all licence here. Lithuania remains popular for B2B and crypto-adjacent businesses prioritising speed. Ireland is the natural choice if you want to keep an English-language hub close to the City of London.
What founders should be doing now
- If you handle payments: watch the PSD3 transposition in your home jurisdiction. Most member states will publish draft text in Q3 2026; line up your licence-renewal application accordingly.
- If you touch crypto: if you don't have a CASP application in flight, you should. The transitional window for legacy operators closes by H2 2026 in most countries.
- If you're regulated, full stop: your DORA documentation should be done. If it's not, that's a one-quarter project with a tight deadline before your next supervisory review.
Building in EU fintech?
We work with payment institutions, EMIs, and CASPs across NL and UK. Tax, structuring, and regulatory accounting — we don't do licence applications, but we make sure your books survive one.