The rails. Why European agentic commerce is co-defined by two converging regimes.
Up next
Author
Share article
The post has been shared by 0 people.
Facebook 0
X (Twitter) 0
Pinterest 0
Mail 0

📊 Full opportunity report: The rails. Why European agentic commerce is co-defined by two converging regimes. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European agentic commerce is being shaped by two regulatory regimes—PSD3/PSR and the AI Act—resulting in a statutory, fragmented infrastructure that influences how AI agents can operate. This approach is slower but aims for more durable, open systems.

European law currently prevents AI agents from executing payments without human authorization, despite technological capabilities. New regulations—PSD3/PSR and the AI Act—are simultaneously rewriting the payment infrastructure and establishing high-risk AI standards, shaping the future of agentic commerce in Europe.

The core issue in European agentic commerce is a legal gap: AI can compare products and fill shopping carts but cannot pay, as European law mandates human authorization for online payments. Unlike the US, where private payment networks like Mastercard and Visa extend agent payments through proprietary rails, Europe’s payment system is statutory, governed by regulations such as PSD2, PSD3, and the upcoming Payment Services Regulation (PSR). These regulations require multi-factor human authentication, and the new PSD3/PSR, scheduled for implementation around 2028, will rebuild payment rails with mandatory API parity, exposing banking interfaces as capable as their consumer apps. Simultaneously, the EU’s AI Act, set to impose high-risk obligations on AI systems involved in finance—such as credit scoring and fraud detection—will require conformity assessments, human oversight, and registration, with high-risk obligations landing in 2026. These two regulatory regimes were not designed together but are converging in 2026-2028, creating a fragmented and complex infrastructure that governs how AI agents can operate. The structural consequence is that European agentic commerce is being co-defined by these two regimes, which differ in scope, timelines, and authority. While the US relies on private, commercially controlled rails, Europe’s system is statutory, open, and controlled by law, which makes it slower but potentially more durable and open. The convergence means that the ability of an AI agent to pay or assess requires navigating a layered, regulated environment, not just technological capability.

The Rails — Thorsten Meyer AI
RAILS
● DISPATCH / JUNE 2026
THORSTEN MEYER AI · AGENTIC COMMERCE · § 04
AGENTIC COMMERCE · 04
EUROPE / RAILS
Essay · European-Infrastructure Forensic · 2026-06-04

The rails.
Why European agentic
commerce is co-defined by
two converging regimes.

An agent that can shop cannot pay. The gap at the center of European agentic commerce isn’t a technology gap — it’s a legal one.
The AI can compare, choose, and fill the cart — but at payment, European law requires a human, not a machine, to authorize, and there’s no mechanism to treat an agent as a legal payer. In the US, agentic payments run on commercial rails (Mastercard Agent Pay, Visa Intelligent Commerce, Plaid) a few firms own and extend by decision. In Europe the rails are statutory — defined by regulation, and being rebuilt right now: PSD3/PSR (agreed Nov 2025, publishing summer 2026) with mandatory API parity, and the AI Act classifying credit scoring as high-risk. The structural argument: European agentic commerce isn’t a product shipped onto existing rails — it’s a system co-defined by two converging regulatory regimes, so the constraint isn’t the agent’s capability but the legal architecture it must run on, and that architecture is statutory, fragmented, and different in kind from the US commercial one.
Thorsten Meyer ThorstenMeyerAI.com Munich · Iffeldorf Essay · ~5,300 words Agentic Commerce · 04
can’t pay
An agent can shop but can’t pay ·
SCA needs a human payer
API parity
PSD3 forces banks to expose
first-class third-party interfaces
Aug 2 ’26
AI Act high-risk deadline ·
(Omnibus may slip it to 2027)
~2028
PSD3 full applicability ·
the clock agentic commerce runs on
THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION· THE RAILS· AN AGENT THAT CAN SHOP CANNOT PAY· THE CONSTRAINT IS LEGAL, NOT TECHNOLOGICAL· SCA REQUIRES A HUMAN PAYER · NO MECHANISM FOR AGENTS· US COMMERCIAL RAILS · EXTENDED BY DECISION · FAST, CONCENTRATED· EU STATUTORY RAILS · DEFINED BY LAW · SLOW, OPEN· PSD3/PSR AGREED NOV 27 2025 · PUBLISHING SUMMER 2026· MANDATORY API PARITY · NO MORE DEGRADED INTERFACES· DIRECT PAYMENT-SYSTEM ACCESS FOR NONBANKS · NO SPONSOR-BANK VETO· AI ACT · CREDIT SCORING IS HIGH-RISK· FOUR INSTRUMENTS · PSR / FIDA / PSD3 / AI ACT · ONE AGENT· THE FRICTION IS INTER-REGIME, NOT INTRA-REGIME· THE MANDATE BRIDGE · AUTHORIZE ONCE, DELEGATE BOUNDED ACTION· WHICH FOUNDATION AN AGENT ECONOMY PREFERS IS THE OPEN QUESTION·
FIG. 01 — THE GAP · AN AGENT THAT SHOPS CANNOT PAY
The defining constraint on European agentic commerce is legal, not technical
The capability is present; the authority is absent
shop ✓
Compare, evaluate, fill the cart,
choose the best deal — capability is here
SCA
human
authentication
required
pay ✗
No mechanism to treat an agent
as the equivalent of a human payer
Strong Customer Authentication requires two of three factors — something the payer is (biometric), knows (password), possesses (a device). Each presumes a human; an autonomous agent has none in the SCA sense. Europe’s agentic-commerce bottleneck is its own payment law — a constraint that cannot be engineered around, only legislated through. The barrier is not a missing feature; it is the regime itself.
FIG. 02 — STATUTORY VS COMMERCIAL RAILS · WHY THE US PLAYBOOK DOESN’T PORT
Two foundations, different in kind
The US playbook assumes the rail’s owner sets the rule; in Europe the legislature does
US · commercial rails
Owned by networks, extended by decision
  • Mastercard Agent Pay, Visa Intelligent Commerce, Plaid
  • The rail’s owner sets the rule — extend to agents by product decision
  • Fast — moves at product speed
  • Concentrated — a few firms control access
EU · statutory rails
Defined by regulation, no owner
  • PSD2/PSD3, PSR, SCA, FIDA
  • The legislature sets the rule — no network can grant payer status
  • Slow — moves at legislative speed
  • Open — mandatory API parity, public data substrate
A US firm cannot bring Agent Pay to Europe and switch agents on — it must wait for the European regime to define how an agent authenticates, accesses data, and pays. The playbook’s central move (extend the rail by decision) is unavailable, because the rule is set by regulation. The same property that makes the EU stack slow — statutory rails — is the property that makes it open: no agent economy built on Visa’s permission is as open as one built on mandatory API parity.
FIG. 03 — THE PSD3/PSR REBUILD · THE NEW PAYMENT RAILS
The most consequential payments reform since PSD2 introduced open banking
The clock European agentic commerce runs on
Nov 27 2025
Parliament + Council reach provisional political agreement on PSD3 and the PSR
Summer 2026
Final texts expected in the Official Journal
+20 days
PSR (directly applicable) takes effect — mandatory API parity, nonbank payment-system access
~2028
PSD3 fully applicable after ~18-month transposition · the SCA rewrite lives in the PSR
Mandatory API parity means an agent gets a first-class bank interface by law — the difference between an agent that works and one quietly throttled by the bank whose customer it acts for. Direct payment-system access ends the sponsor-bank veto over fintech models. But the SCA accommodation that would let an agent pay is not yet written — it must live in the PSR, within a framework built to fight a $400B fraud problem.
FIG. 04 — THE AI ACT GUARDRAILS · THE MODEL REGIME
Running on the rails is necessary but not sufficient
The rails govern whether the agent can pay; the guardrails govern whether it can decide
The classification
Credit scoring = high-risk
Annex III loads it with conformity assessment, human oversight, registration, post-market monitoring. The heaviest tier.
The deadline
Aug 2 2026 — maybe
The May 2026 “Omnibus” proposes slipping high-risk to 2027 — not yet adopted; treat Aug 2026 as operative.
The reach
Extraterritorial
A US lab’s agent scoring a European user is in scope even if hosted offshore. The Brussels Effect, applied to agents.
The AI Act’s human-oversight requirement intersects directly with the payment regime’s human-authentication requirement: both regimes, from different directions, insist a human stay in the loop — the AI Act for the decision, the PSR for the payment. Non-compliance reaches up to 7% of global revenue. The guardrail shapes what an agent can do beyond paying — and because it reaches any system serving EU users, it shapes agentic finance globally.
FIG. 05 — THE MANDATE BRIDGE · HOW THE GAP GETS CROSSED
Not as an autonomous payer — as a bounded delegate of a human who authorized it once
The design that threads both regimes’ insistence on a human in the loop
The human · up front
Authorizes the mandate
Sets spending limits, allowed merchants, use cases — and authenticates once (satisfies SCA).
delegated,
within
limits
The agent · within bounds
Transacts inside the mandate
Acts without re-authenticating each payment — the boundaries satisfy AI Act oversight.
The mandate satisfies the payment regime’s human-authentication requirement (the human authorizes the mandate) and the AI Act’s human-oversight requirement (the human sets and can revoke the boundaries) simultaneously. For it to scale, the regimes must formalize it — the PSR’s SCA rewrite is where the legal basis would live, the AI Act’s oversight rules are where the boundary requirements would. This is the permission-and-boundary model the European approach favors over autonomous action.
Europe is betting that durable, open, publicly-owned rails produce a better agentic-commerce market than fast, concentrated, privately-owned ones — even at the cost of arriving later. Which foundation an agent economy actually prefers is the genuine open question.
Thorsten Meyer · The Rails · Agentic Commerce 04
Source dossier
  • Finextra (Zelezkins) · Agentic AI in payments 2026“the main barrier is not technological capability but legal and regulatory constraints”; PSD2/SCA require human authorization, “no current mechanism for AI agents to be treated as equivalent to a human payer”; Mastercard Agent Pay, Visa Intelligent Commerce; the pre-approved spending mandate model · [finextra.com](https://www.finextra.com/blogposting/30920/agentic-ai-in-payments-in-2026-whats-real-whats-pilot-and-whats-still-hype)
  • Taylor Wessing · Agentic AI in paymentsAI Act applying in full from Aug 2 2026, risk-based; provider/deployer distinction; SCA’s two-of-three factors built around a human payer · [taylorwessing.com](https://www.taylorwessing.com/en/insights-and-events/insights/2026/02/agentic-ai-in-payments)
  • Crassula · PSD3 and PSR 2026provisional agreement Nov 27 2025; publication H1/summer 2026; 21-month transition; PI/EMI merger; IBAN-name check; APP-fraud liability; FIDA still in trilogue (extends open banking to investments, pensions, insurance, mortgages) · [crassula.io](https://crassula.io/guides/licenses/psd3-psr/)
  • Open Banking / PSD3 restarts the revolutionPSD3 publication H1 2026, applicability Q2/Q3 2028; PSR directly applicable 20 days after; mandatory API parity (banks maintain third-party APIs to their own standard); FIDA open finance · [mybusinessfuture.com](https://mybusinessfuture.com/en/open-banking-has-failed-why-psd3-will-restart-it/)
  • Speednet · PSD3/PSR architectural reset$400B fraud-loss forecast; direct payment-system access for nonbanks ends sponsor-bank dependency and the bank veto; consent dashboards; 4%-turnover penalties · [speednetsoftware.com](https://speednetsoftware.com/psd3-and-psr-an-architectural-reset-for-european-digital-payments/)
  • Linklaters · Payments in 2026 #3 (PSD3)law ~mid-2026; verification-of-payee on all transfers; spending limits and blocking; the EBA’s ~40 mandates; Q2 2026 EBA implementation roadmap · [financialregulation.linklaters.com](https://financialregulation.linklaters.com/post/102mei6/payments-in-2026-3-psd3)
  • CSA / Lab Space · EU AI Act high-risk deadlineAug 2 2026 binding for high-risk (Arts 9-17 providers, Art 26 deployers); the Nov 2025 delay-to-2027 proposal “not enacted — treat Aug 2026 as operative”; conformity assessment, registration, FRIAs, six-month log retention · [labs.cloudsecurityalliance.org](https://labs.cloudsecurityalliance.org/research/csa-research-note-eu-ai-act-high-risk-compliance-deadline-20/)
  • Latham & Watkins · AI Act Omnibus (May 7 2026)political agreement extending certain high-risk deadlines, formal adoption expected by July 2026 ahead of Aug 2; watermarking grandfathered to Dec 2 2026; fines up to €15M or 3% of turnover · [lw.com](https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines)
  • Secure Privacy · EU AI Act 2026credit-application assessment as high-risk; extraterritorial reach (US loan-approval AI serving EU customers in scope even if hosted offshore); up to 7% of global revenue · [secureprivacy.ai](https://secureprivacy.ai/blog/eu-ai-act-2026-compliance)
  • The bank account / Unbundled / The mandate · Thorsten Meyer · Agentic Commerce 01-02-03 · the consumer agent whose payment is blocked, the PFM layer FIDA would open, the conduct regime this infrastructure piece complements
Colophon

Set in Source Serif 4 (display, italic accent), EB Garamond (body), IBM Plex Sans (UI labels), IBM Plex Mono (mastheads, ticker, stamps). Paper-cool gray-cream #e6e7e4.

Chromatic register: structural-slate dominant (the institutional/infrastructure register), transition-bronze for the US commercial rails and forward timeline, labor-rose for the pay-shop gap and the AI Act guardrails, alternative-sage for the mandate bridge and the open-rail case, synthesis-deep for the converging-regimes close.

Key frame:

RAILS · CO-DEFINED BY TWO REGIMES AN AGENT THAT SHOPS CANNOT PAY US COMMERCIAL · FAST, CONCENTRATED EU STATUTORY · SLOW, OPEN PSD3/PSR · MANDATORY API PARITY AI ACT · CREDIT SCORING HIGH-RISK FOUR INSTRUMENTS · ONE AGENT THE MANDATE BRIDGE WHICH FOUNDATION WINS · OPEN QUESTION

Implications of Dual Regulatory Foundations for European AI Commerce

This regulatory architecture shapes the future of AI-driven commerce in Europe by creating a slower, more open infrastructure compared to the US. While this approach delays the deployment of fully autonomous payment agents, it also establishes a legal environment that aims for transparency, interoperability, and resilience. The statutory, open-access rails could foster a more competitive and innovative ecosystem, but the pace of implementation remains uncertain. Ultimately, the success of European agentic commerce will depend on which regulatory framework proves more adaptable and effective in supporting practical, scalable AI payment systems.

Amazon

European payment API integration tools

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Regulatory Evolution and Its Impact on AI Payments

European regulators are actively reforming digital payment and AI governance frameworks. The PSD3 and Payment Services Regulation (PSR), scheduled for adoption around 2026-2028, aim to overhaul payment infrastructure with mandatory API parity and open finance principles, moving away from private, proprietary rails. Concurrently, the EU’s AI Act, finalized in late 2025 with high-risk obligations expected to take effect by 2026, classifies AI systems involved in financial transactions as high-risk, requiring oversight, conformity assessments, and registration.

These developments follow years of debate over digital sovereignty, privacy, and consumer protection, leading to a cautious but deliberate approach to AI and payments regulation. Unlike the US, where private firms extend payment capabilities through commercial networks, Europe’s laws enforce a statutory architecture designed to ensure interoperability and transparency, but at the cost of slower deployment.

“European agentic commerce is not a product the labs ship onto existing rails; it is a system being co-defined by two converging regulatory regimes.”

— Thorsten Meyer

FancyDove AI Assistant Device Powered by ChatGPT, No Subscription Needed, Standalone AI Chatbot Translator, AI Tutor for Learning, Writing & Homework, Portable AI Gadget for Students & Travel Black

FancyDove AI Assistant Device Powered by ChatGPT, No Subscription Needed, Standalone AI Chatbot Translator, AI Tutor for Learning, Writing & Homework, Portable AI Gadget for Students & Travel Black

No Subscription & Lifetime Access – Pay Once, Use AI Forever: Enjoy powerful AI chat, writing, translation, and…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Implementation Timelines and Effectiveness

It remains unclear how quickly the new regulations will be adopted and how effectively they will enable autonomous AI payments. The PSD3/PSR is still in development, with implementation expected around 2028, and the AI Act’s high-risk obligations may slip beyond 2026. Additionally, the practical interoperability of these regimes and their impact on AI agent capabilities are still uncertain, as are the legal and technical mechanisms for AI agents to act as payers.

Yubico - YubiKey 5C NFC - Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified - Protect Your Online Accounts

Yubico – YubiKey 5C NFC – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified – Protect Your Online Accounts

POWERFUL SECURITY KEY: The YubiKey 5C NFC is the most versatile physical passkey, protecting your digital life from…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Regulatory Adoption and Technical Integration

European regulators are expected to finalize PSD3 and PSR regulations by 2027-2028, with ongoing trilogue discussions on the AI Act potentially extending high-risk obligations into 2027. Industry stakeholders are preparing for these changes, focusing on developing compliant AI systems and payment interfaces. The first practical tests of agentic commerce under the new regime may occur in pilot projects or phased rollouts over the next 1-2 years, providing insights into how the statutory rails support autonomous payments and AI-driven financial decision-making.

DocuGard Blue/Red Premier Prismatic Top High Security Check Paper - Laser/Inkjet Printer Compatible - 13 Security Features - 2500 Blank Business Checks (04532C)

DocuGard Blue/Red Premier Prismatic Top High Security Check Paper – Laser/Inkjet Printer Compatible – 13 Security Features – 2500 Blank Business Checks (04532C)

Easily manage payroll, vendor payments, and client transactions. This check has 13 comprehensive security features that are recommended…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why can’t European AI agents pay for goods right now?

European law requires human authorization for online payments, and current regulations do not recognize AI agents as legal payers. The legal framework enforces multi-factor authentication and does not yet provide mechanisms for AI to act as a payer without human oversight.

How are European regulations different from those in the US?

In the US, private payment networks like Mastercard and Visa extend agent payments through proprietary infrastructure, allowing faster deployment. In Europe, the system is statutory, governed by laws like PSD2, PSD3, and the AI Act, which enforce open, interoperable, and transparent payment and AI governance standards, leading to slower but more open systems.

When will European AI agents be able to pay autonomously?

It is uncertain. The new regulations are still being finalized, with implementation expected around 2027-2028. Practical capabilities will depend on how quickly the legal and technical frameworks are adopted and integrated.

What are the advantages of Europe’s regulatory approach?

Europe’s statutory, open framework aims to create resilient, transparent, and interoperable AI commerce systems that are less dependent on private control, potentially fostering more competition and innovation over the long term.

Source: ThorstenMeyerAI.com

You May Also Like
The calendar technicality. Why Elon Musk’s lawsuit against Sam Altman and OpenAI lost on timing, not on substance.

The calendar technicality. Why Elon Musk’s lawsuit against Sam Altman and OpenAI lost on timing, not on substance.

A California jury dismissed Elon Musk’s lawsuit over OpenAI’s restructuring, citing timing issues. The case’s legal implications remain unresolved.
The citation. Why generative engine optimization rewards the same brand on the least stable ground.

The citation. Why generative engine optimization rewards the same brand on the least stable ground.

Generative engine optimization (GEO) favors well-known brands in AI citations, reinforcing existing authority and decaying quickly, raising questions about its long-term viability.
The pyramid cracks. What agentic AI does to the consulting leverage model.

The pyramid cracks. What agentic AI does to the consulting leverage model.

Generative AI disrupts traditional consulting by compressing analysis work, causing industry segmentation and talent pipeline impacts, with winners in deployment.
Employee handbook change digest for small employers

Employee handbook change digest for small employers

A new workflow for small employers to efficiently update employee handbooks is being tested, focusing on policy changes without dedicated HR teams.