EU REGULATION
EMIR, and CRR/CRD IV reflects a move toward maximum harmonization. Crucially, this normative convergence was paired with supervisory harmonization through EU agencies, most notably the European Securities and Markets Authority (“ESMA”), which was granted direct supervisory powers over certain cross-border market infrastructures. Also, the Single Supervisory Mechanism (“SSM”) transferred supervision of major banks to the European Central Bank (“ECB”) 2 , explicitly to ensure that EU rules were applied consistently. What made harmonization work more efficiently in this case was partial centralization of supervision and the development of binding technical standards (RTS/ITS) that constrained national discretion. They translated high-level legislative obligations into defined, granular and directly applicable supervisory requirements. These instruments narrowed interpretative variance and limited supervisory discretion 3 . The problem of fragmented supervision On the other hand, many financial institutions provide a clear example of the limits of the current harmonisation model. For example, payment service providers (“PSPs”). Although these sit under a fully harmonised legal framework of the Revised Payment Services Directive (“PSD2”), they remain almost entirely nationally supervised. This has produced differences in supervisory culture, risk tolerance, and enforcement style that directly affect their cross-border operation. In theory, under the PSD2, a PSP authorised in one EU Member State can passport services across the EU under the same standards. In the EU, passporting is the legal mechanism that allows regulated businesses authorized in
one Member State to provide its services across the entire EU/EEA without needing additional local licenses. In practice, however, supervision and enforcement are carried out by national competent authorities, and those authorities have materially different approaches to interpretation, risk, compliance expectations, and intervention thresholds. Supervisory divergence is also visible in the intensity of enforcement. According to EBA supervisory convergence reports 4 , some authorities rely heavily on thematic reviews and early remediation, while others intervene only after breaches become material, leading to inconsistent outcomes for similar conduct. For entities operating across multiple EU Member States, this means that identical business models can face markedly different compliance burdens. The EU Commission itself has acknowledged these problems in the context of the upcoming revision of the Payment Services Directive (“PSD3”) and Payment Services Regulation (“PSR”) reforms 5 . The EU Commission explicitly argues that further harmonisation and a move toward more directly applicable rules are needed because divergent national supervision under PSD2 has undermined consistency and consumer protection 6 .
Data protection: the limits of full harmonization
The General Data Protection Regulation (“GDPR”) represents the EU’s most ambitious legal harmonization so far. As a regulation, the GDPR applies directly across all EU Member States. However, the GDPR highlights the limits of legal convergence, since, in practice, differences in procedural law, regulatory capacity, and enforcement priorities have led to
2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32013R1024 3 Insight: the recent adoption of the Digital Operational Resilience Act (“DORA”) represents further evolution of this harmonization logic. By man- dating common templates, timelines, testing frameworks, and reporting taxonomies, the underlying binding technical standards (RTS/ITS), and by introducing direct EU-level oversight of certain critical third-party ICT providers, DORA addresses a structural weakness of earlier harmonization efforts: the reliance on national supervisors to apply open-textured risk-management duties. In doing so, DORA illustrates a more mature form of harmonization that operates simultaneously at normative, technical, procedural and supervisory levels. 4 https://www.eba.europa.eu/activities/supervisory-convergence 5 PSD3 is the EU’s ongoing attempt to fix certain limits of harmonization; however, without creating a central supervisor. Proposed by the EU Commission in June 2023, at the time of writing, the package is still moving through the EU legislative process. The key change is that many operational and conduct rules where national divergence has been considered greatest under the PSD2 will move into a regulation, reducing scope for national interpretation. Thus, PSD3 is explicitly designed to address inconsistent supervision of PSPs, uneven enforcement of AML and safe- guarding rules as well as weaknesses in the passporting regime. While authorisation and day-to-day supervision will remain national, the package strengthens supervisory convergence tools and further clarifies host-authority powers. The PSD3 is expected to be adopted any time soon, with application likely from 2026 - 2027. It will narrow, but not eliminate, some differences in the supervisory culture across the Member States 6 https://www.europarl.europa.eu/RegData/etudes/BRIE/2025/775891/EPRS_BRI%282025%29775891_EN.pdf
PAGE 8
IMGL MAGAZINE | MARCH 2026
Made with FlippingBook flipbook maker