Europe is building the legal foundations of its digital future at speed. From digital identity under eIDAS to new rules shaping payment infrastructure, regulation is meant to standardise trust across borders. But once these frameworks meet real payment systems, legal clarity often gives way to practical trade-offs. Looking at digital identity, open finance, and cross-border payments together reveals where regulation works, and where it still struggles to reflect how people actually use financial services.
Accountability and Legal Responsibility Under eIDAS 2.0
Modern solutions that make citizens’ lives easier and improve the functioning of the economy in an increasingly digitised reality are being developed in Europe. In this context, the dynamic growth of mobile payment systems such as Bizum, BLIK, Swish, or Vipps is particularly encouraging.
The development of online banking at the turn of the 20th and 21st centuries freed bank customers from the need to stand in queues at branch counters. Mobile payments were a natural second step in this direction. This second phase of the technological revolution in banking embedded payment services into everyday life, in which mobile phones began to play a dominant role, including widespread adoption of contactless payments, which for many users answered the practical question of what is a contactless payment in everyday use rather than theory.
As consumers grew accustomed to such seamless, time-saving experiences, it became clear that similar solutions should also be applied to other areas of life, especially interactions with public administration. The pandemic period proved that many official matters can also be handled remotely. However, the lack of tools enabling remote identification of petitioners was strongly felt. In Poland, the identification solutions used in banking worked extremely well in this regard, later complemented by state-backed initiatives such as mObywatel 2.0, which further strengthened trust in digital identity systems.
Europe, viewed as a unified organisational and economic space, needs a harmonised model of identity verification tools. For this reason, the efforts undertaken to introduce the eIDAS 2.0 regulation should be recognised as an important step in the right direction for digital identity regulation in Europe.
A key issue in implementing regulations related to digital identity is the responsibility for data and its technical protection. After all, we are dealing with a tool that is intended to transfer our declarations of intent — made in matters as important as, for example, the acquisition of real estate — from analogue to digital form, creating legally binding outcomes within a digital identity framework.
In matters related to responsibility, it would also be worthwhile to draw on the solutions introduced in banking. Banks, as issuers of electronic payment instruments, assume a significant degree of responsibility arising from the risks associated with inadequate security or malfunctioning of the payment tools they provide. Thanks to this, customers were more willing to trust modern payment systems and began to use them eagerly.
In the case of identity verification tools, the entities issuing them under the eIDAS 2.0 regulation will be public authorities designated by EU Member States, qualified trust service providers (QTSPs) certified by the relevant national bodies, and private entities cooperating with Member States. Therefore, it seems natural that individual EU countries should be responsible for any malfunctioning of these tools, of course, while maximally limiting the potential for abuse and clarifying legal responsibility in digital identity systems.
User Control, Consent, and Trust in Digital Identity Systems
Once responsibility is clearly defined, the focus inevitably shifts to the role of users themselves. Digital identity tools are often framed as empowering, but empowerment without understanding can weaken trust rather than strengthen it.
From a legal perspective, digital identity is inseparable from digital declarations of intent that produce concrete legal effects. Trust cannot be built if the recipient of such a declaration cannot be certain of the legal status it creates. This makes education essential — not only about convenience, but about consequences.
User control must therefore be balanced with clarity. Consent, revocation, and access rights only work when users understand what they are agreeing to and what follows from those decisions. Without that understanding, even well-designed systems risk undermining the certainty they are meant to provide.
PSD3 and PSR as Instruments of Payment System Harmonisation
These same tensions around trust and responsibility are visible in payment regulation. PSD3 and the Payment Services Regulation were designed using lessons from PSD2, with the PSR in particular aiming to reduce national divergence by avoiding local transposition.
From a consumer protection perspective, however, harmonisation raises difficult questions. Shifting full liability onto payment service providers for losses caused by social engineering ignores the reality that such manipulation can affect any user, regardless of experience or caution.
Payment institutions already invest heavily in security and education, but fraud prevention cannot rest on one group alone. Effective protection requires a broader ecosystem that includes communication platforms, public authorities, and education systems. Regulation works best when responsibility is shared, and incentives are aligned across all participants in the payment system.
Cross-Border Compliance Costs for Payment Systems Like BLIK
While harmonisation looks convincing on paper, cross-border operation still exposes the gap between regulation and reality. Payment systems remain deeply embedded in national economies, each with its own supervisory expectations.
This creates particular challenges for payment systems such as BLIK, which are not payment institutions and therefore do not benefit from a single European licence. In practice, cross-border expansion often requires repeated negotiations with national regulators.
From an operational perspective, a framework that allows payment systems to operate across borders without renegotiating their position in every jurisdiction would significantly reduce friction and better reflect the reality of a single market.
Digital Identity and Payments as Parallel Regulatory Frameworks
These cross-border challenges also explain why digital identity and payments, despite growing interaction, remain legally distinct. While there is some convergence at the technical level, the two areas still involve different actors, different risk profiles, and very different levels of adoption.
Digital payments are ubiquitous. Digital identity, by contrast, has yet to achieve the same level of everyday use. Given this imbalance, it is premature to create a unified legal framework for both areas — particularly when it is still unclear which identity solutions introduced under eIDAS will gain real traction.
Compliance by Design as a Necessity in Regulated Payment Systems
For companies operating in this environment, early legal involvement is no longer optional. At BLIK, lawyers are involved in project work from the very beginning. Running a business in regulated payment systems requires navigating a dense “thicket” of regulations.
In this context, ignoring legal risks would be comparable to taking a walk through a minefield without a mine detector. Over the past decade, so many regulations have emerged that verifying whether a given idea can be implemented in compliance with them — and then ensuring ongoing adherence — has become not just part of organisational culture, but a necessity without which it is difficult for companies to survive.
Open Finance, Data Sharing, and Interoperability Challenges
These pressures intensify in areas where regulation actively reshapes competition. Open banking and open finance are concepts whose translation into reality requires the introduction of regulations that open new business opportunities for one category of entities, while imposing on another the obligation to bear the costs of implementing these ideas.
Financial institutions will be required to support entities that may become (or already are) their competitors. In this context, it is difficult to expect enthusiasm for this idea from financial institutions, which will be required to share the data they collected.
Banks and other financial institutions incurred the costs of building databases and will bear the costs of maintaining these databases and sharing data. If regulatory-enforced support for competition is to be effective, it must be profitable for financial institutions. Otherwise, they will only perform the minimum required by law.
Setting reasonable rates for access to data will therefore be crucial, particularly as open finance regulation and data sharing continue to evolve across Europe.
Evolving Role of Legal Teams in Payment Innovation
In this environment, legal teams cannot function solely as risk managers. At the same time, for these projects to have a real chance of business success, lawyers must also demonstrate courage in their thinking — a competence that is now becoming just as important as knowledge of the law.
BLIK would not have taken off as the first non-card mobile payment system in this part of Europe if we had focused solely on looking for explicit legal provisions authorising us to act. Implementing innovative business ideas within regulated payment systems requires not only identifying explicit prohibitions, but also being ready to take risks in activities that have not yet been clearly regulated.
A lawyer must be like a navigator on a racing ship, able to chart a course that avoids rocks and reefs, while guiding the vessel to the finish line on the treasure island ahead of the fleet. Ideally, as the first to arrive.
The reward for such an innovation-supporting approach is the satisfaction of contributing to the creation of solutions that bring real value to the people who use them.
Regulatory Expansion and Declining Legal Clarity
At the same time, the expanding regulatory landscape reduces overall legal clarity. This, in turn, requires expanding the teams responsible for ensuring that a company’s operations comply with the law.
While this trend is certainly beneficial from the perspective of the legal profession, I have doubts as to whether it is equally beneficial for the economy, particularly for innovative payment systems operating across borders.
Legal and Regulatory Challenges on the Five-Year Horizon
Looking ahead, digital identity is unlikely to become a core element of European payments in the near term. We already have experience from the first wave of eIDAS regulations, yet the idea of digital identity has not gained widespread popularity across Europe as a result.
A more reasonable approach would be to analyse which digital identity models in individual countries have already begun to gain traction. After examining the foundations of their success, such a model could be translated into regulation at the pan-European level, offering a stronger foundation for digital identity regulation in Europe.
During this period, we will nonetheless face other challenges related to artificial intelligence. The AI Act has not resolved the vast majority of issues generated by AI. Strong customer authentication rules already hinder the implementation of AI-based solutions in modern business models, including advanced split payment and automated checkout scenarios.
Europe must also reflect on whether, in the face of competition from China, the United States, and India, it is wise to burden its economy with ever more regulations. After all, no regulation will ever be an essential ingredient in the recipe for baking bread.
