📊 Full opportunity report: The rails. Why European agentic commerce is co-defined by two converging regimes. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European agentic commerce is being shaped by two regulatory frameworks: PSD3/PSR rebuilding payment rails and the AI Act imposing high-risk obligations on AI systems. This convergence affects how AI agents can operate and pay in Europe, with implications for speed and durability.

European agentic commerce is currently being shaped by two major regulatory regimes—PSD3/PSR and the AI Act—that together determine how AI agents can operate in financial transactions. While the technology for AI-driven shopping and payments exists, the legal framework remains the decisive factor, and it is not yet clear when or how AI agents will be authorized to pay autonomously in Europe.

The core issue is that European law requires human authorization at the point of payment, preventing AI agents from acting as legal payers. Unlike the US, where private payment networks like Mastercard’s Agent Pay and Visa’s Intelligent Commerce facilitate agent payments, Europe’s payment infrastructure is statutory, governed by regulation such as PSD2 and upcoming PSD3/PSR. These laws mandate multi-factor human authentication and API parity, meaning banks must expose interfaces as capable as their consumer apps, but they do not currently recognize AI agents as payers. Meanwhile, the AI Act, scheduled for implementation around 2026, classifies high-risk AI systems—such as those used for credit scoring or fraud detection—as subject to strict oversight, including conformity assessments, human oversight, and registration. These two regimes are being developed independently but will jointly influence the capabilities and legal status of AI agents in Europe. The PSD3/PSR aims to rebuild the payment rails with API parity, while the AI Act introduces guardrails for AI systems handling financial data and decisions. The intersection of these regulations creates a complex, fragmented environment where the legal authority to pay and the technological capability to do so are not aligned.

The Rails — Thorsten Meyer AI

RAILS

● DISPATCH / JUNE 2026

THORSTEN MEYER AI · AGENTIC COMMERCE · § 04

AGENTIC COMMERCE · 04

EUROPE / RAILS

Essay · European-Infrastructure Forensic · 2026-06-04

The rails.
Why European agentic
commerce is co-defined by
two converging regimes.

An agent that can shop cannot pay. The gap at the center of European agentic commerce isn’t a technology gap — it’s a legal one.

The AI can compare, choose, and fill the cart — but at payment, European law requires a human, not a machine, to authorize, and there’s no mechanism to treat an agent as a legal payer. In the US, agentic payments run on commercial rails (Mastercard Agent Pay, Visa Intelligent Commerce, Plaid) a few firms own and extend by decision. In Europe the rails are statutory — defined by regulation, and being rebuilt right now: PSD3/PSR (agreed Nov 2025, publishing summer 2026) with mandatory API parity, and the AI Act classifying credit scoring as high-risk. The structural argument: European agentic commerce isn’t a product shipped onto existing rails — it’s a system co-defined by two converging regulatory regimes, so the constraint isn’t the agent’s capability but the legal architecture it must run on, and that architecture is statutory, fragmented, and different in kind from the US commercial one.

Thorsten Meyer ThorstenMeyerAI.com Munich · Iffeldorf Essay · ~5,300 words Agentic Commerce · 04

can’t pay

An agent can shop but can’t pay ·
SCA needs a human payer

API parity

PSD3 forces banks to expose
first-class third-party interfaces

Aug 2 ’26

AI Act high-risk deadline ·
(Omnibus may slip it to 2027)

~2028

PSD3 full applicability ·
the clock agentic commerce runs on

THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION· THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION·

FIG. 01 — THE GAP · AN AGENT THAT SHOPS CANNOT PAY

The defining constraint on European agentic commerce is legal, not technical

The capability is present; the authority is absent

shop ✓

Compare, evaluate, fill the cart,
choose the best deal — capability is here

SCA

human
authentication
required

pay ✗

No mechanism to treat an agent
as the equivalent of a human payer

Strong Customer Authentication requires two of three factors — something the payer is (biometric), knows (password), possesses (a device). Each presumes a human; an autonomous agent has none in the SCA sense. Europe’s agentic-commerce bottleneck is its own payment law — a constraint that cannot be engineered around, only legislated through. The barrier is not a missing feature; it is the regime itself.

FIG. 02 — STATUTORY VS COMMERCIAL RAILS · WHY THE US PLAYBOOK DOESN’T PORT

Two foundations, different in kind

The US playbook assumes the rail’s owner sets the rule; in Europe the legislature does

US · commercial rails

Owned by networks, extended by decision

Mastercard Agent Pay, Visa Intelligent Commerce, Plaid
The rail’s owner sets the rule — extend to agents by product decision
Fast — moves at product speed
Concentrated — a few firms control access

EU · statutory rails

Defined by regulation, no owner

PSD2/PSD3, PSR, SCA, FIDA
The legislature sets the rule — no network can grant payer status
Slow — moves at legislative speed
Open — mandatory API parity, public data substrate

A US firm cannot bring Agent Pay to Europe and switch agents on — it must wait for the European regime to define how an agent authenticates, accesses data, and pays. The playbook’s central move (extend the rail by decision) is unavailable, because the rule is set by regulation. The same property that makes the EU stack slow — statutory rails — is the property that makes it open: no agent economy built on Visa’s permission is as open as one built on mandatory API parity.

FIG. 03 — THE PSD3/PSR REBUILD · THE NEW PAYMENT RAILS

The most consequential payments reform since PSD2 introduced open banking

The clock European agentic commerce runs on

Nov 27 2025

Parliament + Council reach provisional political agreement on PSD3 and the PSR

Summer 2026

Final texts expected in the Official Journal

+20 days

PSR (directly applicable) takes effect — mandatory API parity, nonbank payment-system access

~2028

PSD3 fully applicable after ~18-month transposition · the SCA rewrite lives in the PSR

Mandatory API parity means an agent gets a first-class bank interface by law — the difference between an agent that works and one quietly throttled by the bank whose customer it acts for. Direct payment-system access ends the sponsor-bank veto over fintech models. But the SCA accommodation that would let an agent pay is not yet written — it must live in the PSR, within a framework built to fight a $400B fraud problem.

FIG. 04 — THE AI ACT GUARDRAILS · THE MODEL REGIME

Running on the rails is necessary but not sufficient

The rails govern whether the agent can pay; the guardrails govern whether it can decide

The classification

Credit scoring = high-risk

Annex III loads it with conformity assessment, human oversight, registration, post-market monitoring. The heaviest tier.

The deadline

Aug 2 2026 — maybe

The May 2026 “Omnibus” proposes slipping high-risk to 2027 — not yet adopted; treat Aug 2026 as operative.

The reach

Extraterritorial

A US lab’s agent scoring a European user is in scope even if hosted offshore. The Brussels Effect, applied to agents.

The AI Act’s human-oversight requirement intersects directly with the payment regime’s human-authentication requirement: both regimes, from different directions, insist a human stay in the loop — the AI Act for the decision, the PSR for the payment. Non-compliance reaches up to 7% of global revenue. The guardrail shapes what an agent can do beyond paying — and because it reaches any system serving EU users, it shapes agentic finance globally.

FIG. 05 — THE MANDATE BRIDGE · HOW THE GAP GETS CROSSED

Not as an autonomous payer — as a bounded delegate of a human who authorized it once

The design that threads both regimes’ insistence on a human in the loop

The human · up front

Authorizes the mandate

Sets spending limits, allowed merchants, use cases — and authenticates once (satisfies SCA).

→

delegated,
within
limits

The agent · within bounds

Transacts inside the mandate

Acts without re-authenticating each payment — the boundaries satisfy AI Act oversight.

The mandate satisfies the payment regime’s human-authentication requirement (the human authorizes the mandate) and the AI Act’s human-oversight requirement (the human sets and can revoke the boundaries) simultaneously. For it to scale, the regimes must formalize it — the PSR’s SCA rewrite is where the legal basis would live, the AI Act’s oversight rules are where the boundary requirements would. This is the permission-and-boundary model the European approach favors over autonomous action.

Europe is betting that durable, open, publicly-owned rails produce a better agentic-commerce market than fast, concentrated, privately-owned ones — even at the cost of arriving later. Which foundation an agent economy actually prefers is the genuine open question.

Thorsten Meyer · The Rails · Agentic Commerce 04

Source dossier

Finextra (Zelezkins) · Agentic AI in payments 2026 — “the main barrier is not technological capability but legal and regulatory constraints”; PSD2/SCA require human authorization, “no current mechanism for AI agents to be treated as equivalent to a human payer”; Mastercard Agent Pay, Visa Intelligent Commerce; the pre-approved spending mandate model · [finextra.com](https://www.finextra.com/blogposting/30920/agentic-ai-in-payments-in-2026-whats-real-whats-pilot-and-whats-still-hype)
Taylor Wessing · Agentic AI in payments — AI Act applying in full from Aug 2 2026, risk-based; provider/deployer distinction; SCA’s two-of-three factors built around a human payer · [taylorwessing.com](https://www.taylorwessing.com/en/insights-and-events/insights/2026/02/agentic-ai-in-payments)
Crassula · PSD3 and PSR 2026 — provisional agreement Nov 27 2025; publication H1/summer 2026; 21-month transition; PI/EMI merger; IBAN-name check; APP-fraud liability; FIDA still in trilogue (extends open banking to investments, pensions, insurance, mortgages) · [crassula.io](https://crassula.io/guides/licenses/psd3-psr/)
Open Banking / PSD3 restarts the revolution — PSD3 publication H1 2026, applicability Q2/Q3 2028; PSR directly applicable 20 days after; mandatory API parity (banks maintain third-party APIs to their own standard); FIDA open finance · [mybusinessfuture.com](https://mybusinessfuture.com/en/open-banking-has-failed-why-psd3-will-restart-it/)
Speednet · PSD3/PSR architectural reset — $400B fraud-loss forecast; direct payment-system access for nonbanks ends sponsor-bank dependency and the bank veto; consent dashboards; 4%-turnover penalties · [speednetsoftware.com](https://speednetsoftware.com/psd3-and-psr-an-architectural-reset-for-european-digital-payments/)
Linklaters · Payments in 2026 #3 (PSD3) — law ~mid-2026; verification-of-payee on all transfers; spending limits and blocking; the EBA’s ~40 mandates; Q2 2026 EBA implementation roadmap · [financialregulation.linklaters.com](https://financialregulation.linklaters.com/post/102mei6/payments-in-2026-3-psd3)
CSA / Lab Space · EU AI Act high-risk deadline — Aug 2 2026 binding for high-risk (Arts 9-17 providers, Art 26 deployers); the Nov 2025 delay-to-2027 proposal “not enacted — treat Aug 2026 as operative”; conformity assessment, registration, FRIAs, six-month log retention · [labs.cloudsecurityalliance.org](https://labs.cloudsecurityalliance.org/research/csa-research-note-eu-ai-act-high-risk-compliance-deadline-20/)
Latham & Watkins · AI Act Omnibus (May 7 2026) — political agreement extending certain high-risk deadlines, formal adoption expected by July 2026 ahead of Aug 2; watermarking grandfathered to Dec 2 2026; fines up to €15M or 3% of turnover · [lw.com](https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines)
Secure Privacy · EU AI Act 2026 — credit-application assessment as high-risk; extraterritorial reach (US loan-approval AI serving EU customers in scope even if hosted offshore); up to 7% of global revenue · [secureprivacy.ai](https://secureprivacy.ai/blog/eu-ai-act-2026-compliance)
The bank account / Unbundled / The mandate · Thorsten Meyer · Agentic Commerce 01-02-03 · the consumer agent whose payment is blocked, the PFM layer FIDA would open, the conduct regime this infrastructure piece complements

Colophon

Set in Source Serif 4 (display, italic accent), EB Garamond (body), IBM Plex Sans (UI labels), IBM Plex Mono (mastheads, ticker, stamps). Paper-cool gray-cream #e6e7e4.

Chromatic register: structural-slate dominant (the institutional/infrastructure register), transition-bronze for the US commercial rails and forward timeline, labor-rose for the pay-shop gap and the AI Act guardrails, alternative-sage for the mandate bridge and the open-rail case, synthesis-deep for the converging-regimes close.

Key frame:

RAILS · CO-DEFINED BY TWO REGIMES AN AGENT THAT SHOPS CANNOT PAY US COMMERCIAL · FAST, CONCENTRATED EU STATUTORY · SLOW, OPEN PSD3/PSR · MANDATORY API PARITY AI ACT · CREDIT SCORING HIGH-RISK FOUR INSTRUMENTS · ONE AGENT THE MANDATE BRIDGE WHICH FOUNDATION WINS · OPEN QUESTION

Implications of Dual Regulatory Frameworks on European AI Payments

This convergence of regulations means that European agentic commerce will develop more slowly than in the US, as legal recognition for AI payers depends on legislative timelines. However, the resulting infrastructure—built into law—may be more durable and open, with mandated API parity and open finance principles reducing control by individual banks and fostering a more inclusive, transparent ecosystem. The fundamental difference is that the US relies on private, privately controlled commercial rails, while Europe is constructing a statutory, open framework. This distinction could shape the future competitiveness and resilience of European AI-driven commerce, making the regulatory environment a critical factor in the evolution of agentic markets.

Amazon

AI payment authorization devices

As an affiliate, we earn on qualifying purchases.

European Regulatory Foundations for AI-Driven Payments

European regulation of digital payments has traditionally been driven by directives like PSD2, which established multi-factor authentication and open banking principles. The upcoming PSD3 and Payment Services Regulation (PSR), scheduled for implementation around 2028, aim to overhaul the payment infrastructure with mandatory API parity, requiring banks to expose their interfaces uniformly. Simultaneously, the EU AI Act, agreed upon in November 2025 with a planned implementation in 2026, classifies high-risk AI systems—used for credit scoring, fraud detection, and transaction authorization—as subject to strict oversight, including conformity assessments and human oversight. These two regimes are not coordinated but will jointly shape the legal environment for AI agents, with the PSD3/PSR focusing on payment infrastructure and the AI Act setting guardrails for AI capabilities.

“European agentic commerce is being co-defined by two regulatory regimes—PSD3/PSR and the AI Act—that together determine how AI agents can operate in financial transactions.”
— Thorsten Meyer

Amazon

European payment API integration tools

As an affiliate, we earn on qualifying purchases.

Unresolved Challenges in Harmonizing Regulations

It is not yet clear how quickly the European legal framework will recognize AI agents as legitimate payers, nor how the seams between PSD3/PSR and the AI Act will be managed in practice. The legislative timelines for PSD3/PSR (expected around 2028) and the AI Act (possibly slipping to 2027) suggest a phased implementation, but the coordination between these regimes remains uncertain. Additionally, the technical and legal standards for AI oversight, data access, and payment authorization are still evolving, leaving questions about how seamlessly AI agents will be integrated into Europe’s payment ecosystem.

Amazon

high-risk AI compliance software

As an affiliate, we earn on qualifying purchases.

Next Steps in Regulatory and Technical Development

The upcoming legislative milestones—passage and implementation of PSD3/PSR and the finalization of AI Act high-risk obligations—will shape the operational landscape for AI agents. Stakeholders are closely monitoring these developments, with efforts underway to develop technical standards and compliance processes. The European Commission and regulators are expected to clarify the recognition of AI agents as payers and to establish interoperability standards that bridge the two regimes. The first pilots and test environments are likely to emerge in the next 12-18 months, providing insights into how the legal and technical frameworks will function together in practice.

Amazon

autonomous payment systems for AI

As an affiliate, we earn on qualifying purchases.

Key Questions

Will AI agents in Europe be able to pay automatically in the near future?

It is not yet certain. The legal recognition of AI agents as payers depends on upcoming legislation and regulatory decisions, which are still in progress.

How do European regulations differ from those in the US regarding agentic payments?

In the US, private payment networks and commercial rails allow private firms to extend payment authority to agents. In Europe, the process is statutory, governed by regulation such as PSD3/PSR, which emphasizes open interfaces and human oversight, delaying autonomous agent payments.

What are the main challenges in harmonizing the two regimes?

The key challenges include coordinating legislative timelines, managing seams between infrastructure and AI guardrails, and establishing standards for AI oversight and payment authorization that satisfy both regimes’ requirements.

When might AI agents be fully operational as payers in Europe?

This depends on legislative progress; a realistic timeline suggests full operational capability could emerge around 2028, after the implementation of PSD3/PSR and AI Act regulations.

Why is Europe’s approach considered more durable than the US model?

Because Europe’s infrastructure is embedded in law, making it less susceptible to control by individual firms and more resilient to changes in private networks, potentially fostering a more open and stable agentic ecosystem.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.

The rails. Why European agentic commerce is co-defined by two converging regimes.

Up next

The bridge. Why the AI buildout runs on a nuclear story and a gas reality.

Author

The Event Within Team

Share article

The rails.
Why European agentic
commerce is co-defined by
two converging regimes.