On this page
- What PSD2 Actually Requires
- QWAC vs QSEAL: The Two Certificates at the Core of PSD2
- eIDAS: The Legal Framework Behind the Certificates
- Strong Customer Authentication (SCA) and Its Relationship to Certificates
- How to Obtain a PSD2-Compliant Certificate
- Certificate Validity and Renewal
- Common Compliance Failures
- PSD2 Compliance for Canadian Fintech
PSD2 (Payment Services Directive 2) reshaped how banks and third-party payment providers operate across Europe, and its technical requirements directly affect any fintech company handling European customer data or payments. If your business connects to European banking APIs, issues payment initiation requests, or accesses account information, you need a clear picture of what PSD2 demands at the certificate level. This guide covers the core requirements, certificate types, and practical steps to stay compliant in 2026.

What PSD2 Actually Requires
PSD2 is an EU directive enforced through Regulatory Technical Standards (RTS) published by the European Banking Authority (EBA). It covers two main categories of third-party providers:
- AISP (Account Information Service Providers) - read account data on behalf of users
- PISP (Payment Initiation Service Providers) - trigger payments from user accounts
Both must authenticate themselves to banks using qualified certificates. Banks are prohibited from accepting requests from unauthenticated third parties. This is not a guideline - it is a hard technical requirement enforced at the API layer.
Key obligations under PSD2 RTS Article 34:
| Requirement | Details |
|---|---|
| Mutual TLS authentication | TPPs must present a valid QWAC during every API call |
| Transaction signing | PISPs must sign payment requests using a QSEAL certificate |
| Certificate authority | Certs must be issued by a Qualified Trust Service Provider (QTSP) under eIDAS |
| Authorization number | Certificate must embed the PSP's national authorization ID |
| Revocation checking | Banks must verify OCSP or CRL status in real time |
QWAC vs QSEAL: The Two Certificates at the Core of PSD2
Two certificate types are central to PSD2 technical compliance. They serve different functions and cannot substitute for each other.
QWAC (Qualified Website Authentication Certificate)
A QWAC authenticates the identity of a payment service provider at the transport layer. When a PISP or AISP connects to a bank's open banking API, the QWAC is presented during the TLS handshake. The bank verifies the certificate against a trusted QTSP and reads the embedded PSD2 attributes - specifically the authorization role (PISP, AISP, or both) and the national competent authority (NCA) registration number.
Without a valid QWAC, the bank's API will reject the connection. There is no fallback.
QSEAL (Qualified Electronic Seal Certificate)
A QSEAL is used to sign API messages - most commonly payment initiation requests. The seal proves that the message has not been modified in transit and that it originated from a specific legal entity. A bank receiving a signed payment request can verify both authenticity and integrity using the TPP's QSEAL.
| Feature | QWAC | QSEAL |
|---|---|---|
| Used at | TLS transport layer | Application/message layer |
| Primary function | Mutual authentication | Message signing and integrity |
| Required for AISP | Yes | No (recommended) |
| Required for PISP | Yes | Yes |
| Certificate type | Qualified TLS | Qualified eSeal |
| Key usage | Client authentication | Non-repudiation, digital signature |
eIDAS: The Legal Framework Behind the Certificates
PSD2 certificates derive their legal weight from eIDAS (Electronic Identification, Authentication and Trust Services), the EU regulation governing qualified trust services. eIDAS defines what makes a certificate "qualified" - the QTSP must appear on the EU Trusted List (EUTL), follow strict issuance procedures, and store private keys in hardware security modules (HSMs).
eIDAS 2.0, which entered full effect in 2024 and continues through 2026, expanded the framework to include the European Digital Identity Wallet (EUDIW). For payment providers, the practical impact includes:
- Stricter identity verification requirements at certificate issuance
- New certificate profiles for natural persons acting on behalf of legal entities
- Interoperability mandates between EU member state identity systems
For Canadian fintech companies operating in EU markets, eIDAS compliance is a prerequisite - Canadian digital certificates do not satisfy PSD2 requirements unless issued by a QTSP listed on the EUTL.
Strong Customer Authentication (SCA) and Its Relationship to Certificates
SCA is the end-user authentication layer of PSD2. It requires that payment authentication uses at least two of three factors:
- Something the user knows (password, PIN)
- Something the user has (mobile device, hardware token)
- Something the user is (biometric)
SCA does not directly involve QWAC or QSEAL certificates - those operate at the TPP-to-bank layer. However, SCA failures often appear in compliance audits alongside certificate issues, because both are governed by the same RTS. Common SCA-related compliance gaps in 2026:
- Incorrect exemption application (transaction risk analysis thresholds exceed EBA limits)
- Missing dynamic linking - the authentication code must be linked to the specific transaction amount and payee
- SCA bypass via the "trusted beneficiary" exemption without proper enrollment flow
How to Obtain a PSD2-Compliant Certificate
The process involves regulatory and technical steps. Skipping steps is a common source of compliance failure.
Step 1: Register with a National Competent Authority
Before any QTSP can issue a certificate with embedded PSD2 attributes, the applicant must hold a valid payment institution license or registration. In the EU, this means obtaining authorization from the NCA in the country of establishment (e.g., BaFin in Germany, FCA in the UK pre-Brexit, DNB in Netherlands). The NCA issues a registration number that must appear in the certificate.
Step 2: Choose a QTSP from the EU Trusted List
The EUTL is maintained by the European Commission and updated regularly. As of 2026, there are approximately 200+ qualified trust service providers listed across EU member states. Not all issue PSD2 certificates - confirm the provider explicitly supports PSD2 QWAC and QSEAL profiles (ETSI TS 119 495).
Step 3: Complete Identity Verification
QTSPs must verify the legal entity identity and the individual authorized to request the certificate. This typically requires:
- Certificate of incorporation or equivalent
- Proof of NCA registration
- Identity documents for the authorized representative
- In-person or video verification (level varies by QTSP)
Step 4: Generate a Certificate Signing Request (CSR)
The CSR must include the correct extended key usage (EKU) values for PSD2:
id-etsi-psd2-role-PSP_AIfor AISPid-etsi-psd2-role-PSP_PIfor PISPid-etsi-psd2-role-PSP_ICfor issuing and acquiring roles
Both roles can be combined in a single QWAC if the provider holds dual authorization.
Step 5: Install, Test, Configure Revocation
After issuance, configure your API client to present the QWAC during mutual TLS. Test against sandbox environments before production. Ensure your infrastructure respects OCSP stapling - some bank implementations check revocation during every connection.
Certificate Validity and Renewal
PSD2 certificates have a maximum validity of 2 years under eIDAS. Expired or revoked certificates will cause immediate API access failure across all bank connections. Renewal should begin at least 60 days before expiry to account for identity re-verification delays.
| Event | Impact |
|---|---|
| Certificate expiry | All API connections rejected |
| Certificate revocation | Immediate rejection, often no grace period |
| NCA registration lapse | QTSP may revoke certificate automatically |
| HSM compromise | Certificate must be revoked and reissued |
Set automated alerts at 90, 60, and 30 days before expiry. Several fintech outages in 2024-2025 traced directly to missed certificate renewals.
Common Compliance Failures
Audits conducted under PSD2 in 2025 and 2026 frequently cite the following gaps:
- Wrong certificate type: Using a standard OV TLS certificate instead of a QWAC for API connections. OV certificates do not carry PSD2 attributes and will not pass NCA audits.
- Missing QSEAL for payment signing: AISPs sometimes skip QSEAL issuance because they do not initiate payments, but some bank implementations require a signed request regardless.
- Certificate-to-entity mismatch: The legal entity in the certificate does not match the entity registered with the NCA due to corporate restructuring or rebranding.
- No revocation monitoring: Certificates get revoked without the TPP noticing, causing silent API failures that appear as bank-side errors.
- Incorrect PSD2 roles embedded: A provider holding both AISP and PISP authorization sometimes receives a certificate with only one role, causing authorization failures on certain endpoints.
PSD2 Compliance for Canadian Fintech
Canada does not currently implement PSD2 - open banking in Canada is governed by a separate framework under the Financial Consumer Agency of Canada (FCAC), with the Consumer-Driven Banking Act coming into effect in stages through 2026. However, Canadian fintech companies that:
- Process payments for EU residents
- Operate EU-regulated entities (subsidiaries, branches)
- Integrate with EU banking APIs as a third party
...are fully subject to PSD2 requirements for that portion of their operations. A Canadian-headquartered PISP connecting to a German bank must hold a QWAC issued by an eIDAS-compliant QTSP, regardless of where the company is incorporated.
Canadian domestic operations that plan to align with open banking standards should watch FCAC technical standards closely. Early indications suggest the Canadian framework will borrow authentication concepts from PSD2 but will not require eIDAS-qualified certificates for domestic API access.
Planning an implementation?
Keep the legal entity, domain controls and certificate lifecycle in the same review.
Discuss your use caseFrequently asked questions
Practical answers
What is the difference between a QWAC and a standard SSL certificate?
A standard SSL/TLS certificate authenticates a web server to browsers. A QWAC (Qualified Website Authentication Certificate) does the same at the transport layer but additionally embeds legally verified PSD2 attributes - the provider's national authorization number and permitted roles (AISP, PISP).
Do I need separate QWACs and QSEALs for each country where I operate?
No - a single QWAC or QSEAL is valid across all EU member states, provided it is issued by a QTSP on the EUTL and embeds the correct NCA registration number. You need one registration with an NCA in your EU country of establishment, and the certificate derived from that registration is passported across the EU.
How long does it take to obtain a PSD2 QWAC certificate?
Timelines vary by QTSP and applicant complexity. For a straightforward application where the payment institution license is already held, expect 5-15 business days from complete documentation submission to certificate issuance.
What happens if my QWAC is revoked during active banking API integrations?
Revocation takes effect immediately. Banks perform OCSP or CRL checks on each connection attempt, and a revoked certificate results in a hard rejection - the TLS handshake fails before any API request is processed.