Alexandre Lamfalussy was born in Kapuvár, Hungary on 26 April 1929. He left the country in January 1949 as a political refugee, took his economics degree at the Catholic University of Louvain, and a doctorate at Nuffield College, Oxford. As founding president of the European Monetary Institute (the forerunner of the European Central Bank), he guided the preparatory work for the launch of the single currency in January 1999. In 2000 he was asked to chair the EU's Committee of Wise Men on the Regulation of European Securities Markets. The European Council adopted his committee's report at the Stockholm summit on 23 March 2001. He died in 2015, a Belgian baron, decorated with Hungary's Grand Cross of the Order of Saint Stephen.
The Wise Men report was, ostensibly, about MiFID-era securities markets. Between 2002 and 2004 the approach was extended across banking, insurance and fund management. The post-crisis reforms of 2010 and 2011 transformed its banking-sector committee into the European Banking Authority. Every PSD2 RTS you have ever read against, every EBA Opinion you have cited, every Q&A you have trawled for an interpretive crumb: all produced through the four-level system Lamfalussy designed. Including, now, every line of secondary law that will make PSD3 and the PSR applicable to your business.
If you are tracking the PSD3/PSR file because you have a compliance plan or a build to commit to, you are downstream of his framework whether you know it or not.
The four levels
Lamfalussy's framework splits financial services regulation into four levels. Each has a different actor, a different legal weight, and a different timetable. Knowing which level you are reading is most of the work.
Level 1: primary legislation. The framework instruments adopted by the European Parliament and Council under the ordinary legislative procedure. Regulations apply directly across all member states; directives require national transposition. PSD2 is a directive; the PSR will be a regulation; PSD3 will be a directive. Level 1 sets out what must be done. It rarely sets out how.
A Level 1 instrument has two parts that need different treatment. The operative articles are the binding obligations: this is what creates legal duties. The recitals at the front of the text, sometimes a hundred or more, are the policy reasoning behind the articles. Recitals tell you what the legislator was trying to achieve and can be cited by the CJEU to interpret an article that is ambiguous. They do not create obligations of their own.
This trips people up regularly. A recital can contain a striking sentence that suggests an obligation the operative articles do not actually impose. The PSR's negotiating texts contain several such sentences on technical service provider liability, and law-firm briefings have not always been careful about which is which. The discipline is simple: when you see something interesting in a recital, look for the matching article. If there is no matching article, the recital is interpretive guidance only. Useful for understanding intent. Not something to build to.
Level 2: delegated and implementing acts. Often called secondary legislation in practitioner shorthand. These are the Commission Delegated Regulations and Implementing Regulations that fill in the operational detail Level 1 deliberately leaves out. They are drafted by the relevant European Supervisory Authority (the EBA, for payments) under explicit mandates contained in the Level 1 text. Two forms matter: Regulatory Technical Standards (RTS) for substantive detail, and Implementing Technical Standards (ITS) for templates and procedures. The PSD2 SCA RTS, formally Commission Delegated Regulation 2018/389, is the canonical payments example. Level 2 is binding law. It is also where the things that affect your build are decided.
Level 3: supervisory convergence. EBA Guidelines, Opinions and Q&As. Not binding on regulated firms in the strict sense. National competent authorities apply a "comply or explain" obligation to formal Article 16 Guidelines, and most regulated institutions therefore treat them as binding in practice. The EBA Opinion of June 2019 on the elements of strong customer authentication, and the follow-up Opinion of October 2019 setting the EU-wide migration deadline of 31 December 2020, are the canonical PSD2 examples. Level 3 is where ambiguity in Levels 1 and 2 gets clarified, often in ways that materially change what compliance looks like.
Level 4: enforcement. Commission infringement proceedings against member states, peer review of NCAs, supervisory practice, and CJEU case law. Less visible day-to-day, but the level at which a regulator finally does something about an institution that read the previous three levels and ignored them.
The four levels run on staggered timetables. Level 1 lands first. Level 2 follows after consultation. Level 3 fills the gaps as practice exposes them. Level 4 catches up at its own pace. Reading PSD3/PSR without knowing which level you are holding is like reading a contract without knowing which clauses are operative.
Why Coreper approval isn't go-live
Coreper approval matters. It signals that the political negotiation is over and the text is settled. But it is a long way from the moment your fraud team needs to enforce a particular dynamic linking rule against a real transaction, and the gap between "approved" and "applicable" is where build plans go wrong.
The PSD2 timeline gives you a usable benchmark. Counting from the day PSD2 entered the Official Journal: transposition was complete around month 25; the SCA RTS appeared in the OJ around month 27; it applied around month 45; the EBA's supervisory flexibility for e-commerce SCA expired around month 60; and the UK, enforcing its onshored equivalent, did so around month 69. Five years and nine months from the start of the clock to the last European supervisor enforcing one slice of secondary law.
PSD3/PSR will run on a similar shape. OJ publication is expected in summer 2026. The PSR's transition period was extended in trilogue from 18 months to 21 months, putting direct application around month 21 of its own clock. PSD3 transposition runs alongside, and its directive status leaves room for national variation. The EBA's RTS pipeline starts shortly after Level 1 publication and runs for around 24 to 36 months; some standards land before the application date and some after. By the PSD2 benchmark, full enforcement of the PSD3/PSR perimeter is plausibly a 2030 conversation, not a 2028 one.
If the build plan in front of you treats Council formal adoption, or even OJ publication, as the trigger event, it is operating a level too high. The trigger event for any specific operational requirement is the application date of the relevant secondary measure, qualified by whatever Opinion the EBA chooses to publish in the meantime. That can be eighteen months later, or three years later, or never. The framework does not tell you up front. It reveals itself level by level.
What this means for the rest of the year
The black box has a logic. Once the four levels are visible, the apparent confusion of timelines and instruments resolves into a sequenced process that has been running, with minor variations, since 2001.
I'll come back to specific PSD3 and PSR provisions in subsequent posts. Different obligations land at different levels, on different timetables, with different binding force. Knowing which is which is the difference between a programme that ships and one that gets re-scoped twice.