📊 Full opportunity report: The rails. Why European agentic commerce is co-defined by two converging regimes. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European agentic commerce is being shaped by two simultaneous regulatory regimes—PSD3/PSR and the AI Act—that define how AI agents can operate in payments and AI systems. This convergence creates a complex, statutory infrastructure that influences market development and speeds of adoption.

European law requires human authorization for online payments, preventing AI agents from acting as payers despite technological capabilities. This legal constraint is being addressed through two major regulatory frameworks—PSD3/PSR and the AI Act—that are simultaneously shaping the infrastructure and guardrails for agentic commerce in Europe.

The core issue is that, unlike in the US where private infrastructure like Mastercard’s Agent Pay enables agent payments, Europe’s payment system is governed by statutory regulations, notably PSD2 and the upcoming PSD3/PSR. These laws mandate multi-factor human authentication and API parity, meaning banks must provide open access to their interfaces, but do not currently permit AI agents to act as payers without human oversight. Simultaneously, the EU AI Act classifies high-risk AI systems—such as those used for credit scoring or fraud detection—as subject to conformity assessments, human oversight, and registration, which impacts the development and deployment of AI agents in financial services. The convergence of these regimes—regulatory-driven payment rails and AI guardrails—means that the European agentic commerce system is being co-defined by statutory laws that are still under development, with implementation timelines stretching into 2027 and 2028. This creates a fragmented but deliberate infrastructure that differs fundamentally from the US’s faster, private-sector-led approach, emphasizing open, standardized interfaces and shared data substrates.

The Rails — Thorsten Meyer AI
RAILS
● DISPATCH / JUNE 2026
THORSTEN MEYER AI · AGENTIC COMMERCE · § 04
AGENTIC COMMERCE · 04
EUROPE / RAILS
Essay · European-Infrastructure Forensic · 2026-06-04

The rails.
Why European agentic
commerce is co-defined by
two converging regimes.

An agent that can shop cannot pay. The gap at the center of European agentic commerce isn’t a technology gap — it’s a legal one.
The AI can compare, choose, and fill the cart — but at payment, European law requires a human, not a machine, to authorize, and there’s no mechanism to treat an agent as a legal payer. In the US, agentic payments run on commercial rails (Mastercard Agent Pay, Visa Intelligent Commerce, Plaid) a few firms own and extend by decision. In Europe the rails are statutory — defined by regulation, and being rebuilt right now: PSD3/PSR (agreed Nov 2025, publishing summer 2026) with mandatory API parity, and the AI Act classifying credit scoring as high-risk. The structural argument: European agentic commerce isn’t a product shipped onto existing rails — it’s a system co-defined by two converging regulatory regimes, so the constraint isn’t the agent’s capability but the legal architecture it must run on, and that architecture is statutory, fragmented, and different in kind from the US commercial one.
can’t pay
An agent can shop but can’t pay ·
SCA needs a human payer
API parity
PSD3 forces banks to expose
first-class third-party interfaces
Aug 2 ’26
AI Act high-risk deadline ·
(Omnibus may slip it to 2027)
~2028
PSD3 full applicability ·
the clock agentic commerce runs on
THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION· THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION·
FIG. 01 — THE GAP · AN AGENT THAT SHOPS CANNOT PAY
The defining constraint on European agentic commerce is legal, not technical
The capability is present; the authority is absent
shop ✓
Compare, evaluate, fill the cart,
choose the best deal — capability is here
SCA
human
authentication
required
pay ✗
No mechanism to treat an agent
as the equivalent of a human payer
Strong Customer Authentication requires two of three factors — something the payer is (biometric), knows (password), possesses (a device). Each presumes a human; an autonomous agent has none in the SCA sense. Europe’s agentic-commerce bottleneck is its own payment law — a constraint that cannot be engineered around, only legislated through. The barrier is not a missing feature; it is the regime itself.
FIG. 02 — STATUTORY VS COMMERCIAL RAILS · WHY THE US PLAYBOOK DOESN’T PORT
Two foundations, different in kind
The US playbook assumes the rail’s owner sets the rule; in Europe the legislature does
US · commercial rails
Owned by networks, extended by decision
  • Mastercard Agent Pay, Visa Intelligent Commerce, Plaid
  • The rail’s owner sets the rule — extend to agents by product decision
  • Fast — moves at product speed
  • Concentrated — a few firms control access
EU · statutory rails
Defined by regulation, no owner
  • PSD2/PSD3, PSR, SCA, FIDA
  • The legislature sets the rule — no network can grant payer status
  • Slow — moves at legislative speed
  • Open — mandatory API parity, public data substrate
A US firm cannot bring Agent Pay to Europe and switch agents on — it must wait for the European regime to define how an agent authenticates, accesses data, and pays. The playbook’s central move (extend the rail by decision) is unavailable, because the rule is set by regulation. The same property that makes the EU stack slow — statutory rails — is the property that makes it open: no agent economy built on Visa’s permission is as open as one built on mandatory API parity.
FIG. 03 — THE PSD3/PSR REBUILD · THE NEW PAYMENT RAILS
The most consequential payments reform since PSD2 introduced open banking
The clock European agentic commerce runs on
Nov 27 2025
Parliament + Council reach provisional political agreement on PSD3 and the PSR
Summer 2026
Final texts expected in the Official Journal
+20 days
PSR (directly applicable) takes effect — mandatory API parity, nonbank payment-system access
~2028
PSD3 fully applicable after ~18-month transposition · the SCA rewrite lives in the PSR
Mandatory API parity means an agent gets a first-class bank interface by law — the difference between an agent that works and one quietly throttled by the bank whose customer it acts for. Direct payment-system access ends the sponsor-bank veto over fintech models. But the SCA accommodation that would let an agent pay is not yet written — it must live in the PSR, within a framework built to fight a $400B fraud problem.
FIG. 04 — THE AI ACT GUARDRAILS · THE MODEL REGIME
Running on the rails is necessary but not sufficient
The rails govern whether the agent can pay; the guardrails govern whether it can decide
The classification
Credit scoring = high-risk
Annex III loads it with conformity assessment, human oversight, registration, post-market monitoring. The heaviest tier.
The deadline
Aug 2 2026 — maybe
The May 2026 “Omnibus” proposes slipping high-risk to 2027 — not yet adopted; treat Aug 2026 as operative.
The reach
Extraterritorial
A US lab’s agent scoring a European user is in scope even if hosted offshore. The Brussels Effect, applied to agents.
The AI Act’s human-oversight requirement intersects directly with the payment regime’s human-authentication requirement: both regimes, from different directions, insist a human stay in the loop — the AI Act for the decision, the PSR for the payment. Non-compliance reaches up to 7% of global revenue. The guardrail shapes what an agent can do beyond paying — and because it reaches any system serving EU users, it shapes agentic finance globally.
FIG. 05 — THE MANDATE BRIDGE · HOW THE GAP GETS CROSSED
Not as an autonomous payer — as a bounded delegate of a human who authorized it once
The design that threads both regimes’ insistence on a human in the loop
The human · up front
Authorizes the mandate
Sets spending limits, allowed merchants, use cases — and authenticates once (satisfies SCA).
delegated,
within
limits
The agent · within bounds
Transacts inside the mandate
Acts without re-authenticating each payment — the boundaries satisfy AI Act oversight.
The mandate satisfies the payment regime’s human-authentication requirement (the human authorizes the mandate) and the AI Act’s human-oversight requirement (the human sets and can revoke the boundaries) simultaneously. For it to scale, the regimes must formalize it — the PSR’s SCA rewrite is where the legal basis would live, the AI Act’s oversight rules are where the boundary requirements would. This is the permission-and-boundary model the European approach favors over autonomous action.
Europe is betting that durable, open, publicly-owned rails produce a better agentic-commerce market than fast, concentrated, privately-owned ones — even at the cost of arriving later. Which foundation an agent economy actually prefers is the genuine open question.
Thorsten Meyer · The Rails · Agentic Commerce 04

Implications of Europe’s Dual Regulatory Frameworks for Agentic Commerce

This convergence of legal regimes in Europe means that the development of AI-powered financial agents will proceed at a slower pace compared to the US, due to legislative timelines and the need for compliance with high-risk AI standards. However, the resulting infrastructure—built on open APIs and shared data—may foster a more resilient, transparent, and inclusive market. For readers, this signifies that Europe’s approach prioritizes legal certainty and stability over speed, potentially leading to a different competitive landscape and innovation trajectory in agentic commerce.

Amazon

European open banking API developer tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Regulatory Evolution and Its Impact on Payment and AI Laws

Historically, Europe’s payment systems have been tightly regulated, with PSD2 introducing strong customer authentication and open banking. The upcoming PSD3/PSR aims to overhaul these rails, mandating API parity and direct access for non-bank providers, effectively democratizing payment infrastructure. Concurrently, the EU AI Act, agreed in November 2025, establishes high-risk obligations for AI systems, requiring conformity assessments, human oversight, and registration, with high-risk obligations expected to be implemented by 2027 or 2028. These developments are not coordinated but are converging, creating a complex legal environment that will govern AI agents in finance for years to come. Unlike the US, where private firms extend commercial rails, Europe’s statutory approach embeds the infrastructure within law, influencing the pace and nature of innovation.

“The question ‘can an AI agent pay for things in Europe’ has no technological answer, only a regulatory one.”

— Thorsten Meyer

Build Financial Software with Generative AI (From Scratch)

Build Financial Software with Generative AI (From Scratch)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Uncertainties Surrounding Implementation Timelines and Regime Interactions

It is not yet clear how quickly regulators will finalize and enforce PSD3/PSR and the AI Act, with legislative processes potentially slipping into 2027 or 2028. Additionally, how the two regimes will interact in practice—such as how AI systems will be integrated into the payment infrastructure and what specific compliance hurdles will emerge—is still uncertain. The extent to which these laws will facilitate or hinder rapid innovation remains to be seen.

Yubico - YubiKey 5C NFC - Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified - Protect Your Online Accounts

Yubico – YubiKey 5C NFC – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified – Protect Your Online Accounts

POWERFUL SECURITY KEY: The YubiKey 5C NFC is the most versatile physical passkey, protecting your digital life from…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Regulatory Development and Market Adaptation

Regulators are expected to publish detailed implementation rules for PSD3 and the AI Act over the next 12 to 24 months. Financial institutions, AI developers, and fintech firms are preparing for compliance, with pilot programs and pilot regulations likely to emerge. Observers will watch how the legal frameworks influence the pace of AI agent adoption and the structure of the European agentic commerce market, which may differ significantly from the US model.

DALIX Bank Bags Money Pouch Security Deposit Utility Zipper Coin Bag Blue 2 Pack

DALIX Bank Bags Money Pouch Security Deposit Utility Zipper Coin Bag Blue 2 Pack

FEATURES: THIS IS A 2 PACK QUANTITY. Main Zipper Compartment, Dalix original hardware zippers, Slightly expandable

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How will the European laws affect AI agents’ ability to make payments?

European laws require human authorization for payments, meaning AI agents cannot act as payers until the laws explicitly permit it, which is still under development.

When will the new regulations be fully enforced?

Legislative timelines suggest enforcement could begin between 2027 and 2028, but exact dates depend on legislative progress and regulatory implementation.

How does Europe’s approach differ from the US?

Europe’s approach is statutory, built into law with open, mandated interfaces, whereas the US relies on private, commercial rails controlled by firms like Mastercard and Visa.

Will the regulatory complexity slow down innovation?

Yes, the slower legislative process and high compliance standards may delay the deployment of fully autonomous AI agents in payments, but could lead to more durable and transparent systems.

What are the risks of fragmented regulation?

Fragmentation could lead to implementation challenges, inconsistencies, and delays, but it also offers opportunities for more tailored, high-quality regulation.

Source: ThorstenMeyerAI.com

You May Also Like

Hightouch (YC S19) Is Hiring

Hightouch, a YC-backed Series D startup, has publicly announced a large-scale hiring effort across various departments, signaling growth and expansion.

Enhance Your Life with AI-Powered Virtual Assistants

In today’s fast-paced society, it is crucial to find methods to simplify…

The Anthropic IPO Disclosure Document: What the S-1 Has to Say Before October

Anthropic’s upcoming S-1 filing reveals critical details about revenue, risks, and valuation, shaping expectations for its October Nasdaq debut.

Uber’s $1,500/month AI limit is a useful signal for AI tool pricing

Uber caps employee AI coding tool spending at $1,500 monthly, revealing insights into enterprise AI tool pricing and management strategies.