Article
Payments regulation in 2026: key deadlines and events to watch
2 February 2026
After a year of major regulatory milestones, the payments industry heads into 2026 on different footing. Many of the legislative changes that once came with looming deadlines are now live, embedded into systems and being tested under real operating conditions.
For payments teams, 2026 is less about major go-lives and more about what happens once the rules are in effect: enforcement, resilience, data quality, and consistent day-to-day performance.
Below, we’ve outlined the confirmed regulatory deadlines and milestones to watch in 2026, followed by key non-binding developments institutions should continue to monitor, as they shape strategic planning across the payments ecosystem.
Confirmed regulatory and scheme milestones
January 2026
EU: DORA enters its first full supervisory year
While the Digital Operational Resilience Act (DORA) formally applied from January 2025, 2026 marks the first full year of supervisory enforcement across the EU.
As a result, regulatory attention is expected to move beyond readiness assessments and towards how ICT risk is managed in practice, across live systems and services.
In payments, this brings greater focus on the resilience of payment processing, third-party dependencies, incident response, and recovery capabilities under real operating conditions.
March 2026
March 2026
Australia: Updated AML/CTF obligations take effect — 31 March
Australia’s updated Anti-Money Laundering and Counter-Terrorism Financing framework introduces changes to existing compliance obligations for regulated entities.
From 31 March 2026, updated requirements apply to current reporting entities, with additional sectors brought into scope later in the year.
For institutions operating in, or servicing, the Australian market, this marks a point at which AML and CTF controls are expected to operate consistently under the revised framework, particularly across transaction monitoring, reporting processes, and customer due diligence.
May 2026
May 2026
UK: Safeguarding reforms for PIs and EMIs — 7 May
The UK’s updated safeguarding framework for payment institutions and electronic money institutions comes into force in May 2026.
The reforms strengthen requirements around how customer funds are protected, reconciled, and reported, with greater emphasis on auditability, record-keeping, and insolvency preparedness.
In practice, this places increased focus on the clarity and consistency of safeguarding arrangements, as well as on the evidence institutions can provide to demonstrate compliance on an ongoing basis.
For firms in scope, the changes reinforce safeguarding as an operational discipline, not just a structural requirement, with expectations extending across processes, controls, and supporting systems.
July 2026
July 2026
UK: Buy Now, Pay Later (BNPL) regulation begins — 15 July
Anticipated regulatory developments to monitor
EU: PSD3 and Payment Services Regulation (PSR)
Following political agreement in 2024 and 2025, PSD3 and the new Payment Services Regulation are expected to move through specification, supervisory guidance, and national preparation phases during 2026.
While formal application dates extend beyond the year, many institutions are already reviewing potential implications for licensing models, fraud prevention approaches, access to payment systems, and supervisory oversight.
Continued ISO 20022 tightening beyond CBPR+
Continued ISO 20022 tightening beyond CBPR+
As ISO 20022 becomes the default format across a growing range of payment flows, validation rules continue to tighten, with reduced tolerance for MT and MX translation and higher expectations around end-to-end structured data.
This trend extends beyond CBPR+ and is shaping both domestic and cross-border payment ecosystems globally, reinforcing structured data as a baseline requirement rather than an optional enhancement.
Closing perspective
In 2026, the payments regulatory landscape will be defined less by headline deadlines and more by what happens once rules are live.
Across regions, the focus is shifting towards enforcement, operational resilience, data quality, and sustained performance under supervisory scrutiny. Regulation is no longer something to prepare for and move past. It has become an ongoing operating condition for payment services.
This places greater emphasis on flexibility at the platform level. Institutions need payment systems that can adapt as requirements evolve, support real-time and cross-border flows, and provide the transparency and control regulators increasingly expect, without relying on repeated large-scale change programmes.
Mambu Payments is designed for this environment supporting modern payment rails, real-time processing, and fully managed, API-driven integrations, giving institutions the ability to respond to regulatory change through configuration and iteration rather than structural overhaul.
If you would like to explore how Mambu Payments can support your payments strategy in 2026 and beyond, please get in touch with our team.
© Mambu 2026