Skip to main content
Version status: Amended | Document consolidation status: Updated to reflect all known changes
Version date: 16 January 2023 - onwards
Version 3 of 3

Article 95 Management of operational and security risks

DRAFT To be repealed Article 48 Repeal of the Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC (COM(2023) 366 final / 2023/0209 (COD)) (PSD3) (updated 19 April 2024 with Information Note)

1. Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to:

(a) payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

(b) account information service providers referred to in Article 33(1) of this Directive;

(c) payment institutions exempted pursuant to Article 32(1) of this Directive; and

(d) electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.