Biometrics – Instant Payments – Regulatory Update – eIDAS Wallet – ESG -Post Quantum Cryptopgraphy Migration - SPA Newsletter July 2025

Dear Colleagues, 

 

There’s little doubt that the payments ecosystem is accelerating fast – as a host of new technologies and regulations combine to redefine the future.

 

The continued rise of payment wallets, instant payments, open banking and biometric authentication are just some of the key trends fueling this change. EU regulators are further intensifying their demands for enhanced security and interoperability measures to support the delivery of seamless, trustworthy, and convenient payment experiences for consumers.

While we recently provided a comprehensive overview of key 2025 market trends in our 20-year anniversary newsletter, this edition offers a brief update on the progress of several ongoing SPA workstreams. We also examine the activities and outcomes resulting from our work undertaken with regulators, payments standardization bodies, and the other stakeholders of the payments industry.

 

Biometric Cards

In our last newsletter we announced the Biometric Card Working Group was close to finalising the initial standardization and interoperability specifications that will support end-users in their biometric payment card enrolment journey. In close collaboration with its Advisory Council members, SPA has made good progress in further refining these specifications by incorporating broader industry feedback.

 

This significant achievement represents a major step to foster smooth adoption and usage of biometric cards by issuers and end-users in a standardized, streamlined and systematic way. SPA is now working on a strategy to promote these specifications within the payments industry—either as a proprietary SPA implementation specification or through submission to relevant standards bodies, such as EMVCo and ISO.

 

Instant Payments

Following Apple’s move to open up access to its NFC technology to apps on its iPhone, the use of the EMV and NFC standards to create mobile phone based instant payment solutions is gathering pace.

 

For the past five years, SPA has been working very closely with the European Payments Council (EPC), the European Payment Stakeholders Group (EPSG) and the European Payment Systems Experts Group (PSMEG) to drive this initiative forward and make secure and convenient instant payments at the PoS become a reality for consumers. As part of this effort, SPA has been strongly contributing to the EPSG’s work on the development of robust security requirements for instant payments that will feature a common contactless interface for both cards and instant payments.

 

SPA welcomes the progress being made by EPSG on defining a standardized security model for instant payments and is confident that the first draft of these standards will be available in Q3 of this year.

 

Regulatory Update

Regulatory bodies in the EU are pushing strongly on the implementation and enforcement of obligations relating to two key regulations: the EU’s NIS-2 Cyber Infrastructure Directive and the Cyber Resilience Act (CRA).

 

The SPA Security Working Group is currently investigating the impact of NIS-2 on existing payment facilities and is also reviewing any overlaps between the CRA and the Digital Operational Resilience Act (DORA) to ensure consistency and to address potential gaps.

 

Following the publication of its position paper on DORA , SPA is now preparing another position to clarify the impact of the NIS-2 Directive in terms of new risk management and testing processes for payment card vendors. Scheduled to be released in the autumn, this next publication will complete the SPA evaluation on the new EU Cybersecurity Regulatory Framework.

 

eIDAS

SPA is collaborating with the Secure Identity Alliance (SIA) to produce a paper setting out the potential of the eIDAS digital identity wallet to support use cases for the payments industry.

 

SPA is committed to working closely with the digital identity industry bodies to evaluate all potential application opportunities arising from the integration of the eIDAS wallet into existing payment infrastructures — including eIDAS user identification & authentication, remote user KYC and onboarding, and the initiation of SEPA regulated retail payment instruments (Cards, A2A and the future Digital Euro).

 

Environmental, Social and Governance (ESG) Initiatives

Dedicated to helping the payments industry adopt truly progressive ESG strategies, SPA is contributing to a variety of collaborative projects that will deliver real progress on this front.

 

SPA has established a new ESG Working Group that is currently working on two key program initiatives relating to:

1. A common vendor approach for the carbon footprint assessment during the lifecycle of the payment card, and

2. An analysis of the transposition on national laws of the EU Accessibility Directive which came into force on June 28th, 2025.

 

 

Securing card payments in a post-quantum world

SPA is leading EPSG efforts to define a common position for the payments industry on the rigors associated with migrating to post-quantum cryptography mechanisms and plans to publish a paper on this topic later in the year.

 

SPA notes that the European Commission will lead the EU’s post-quantum cryptography (PQC) migration plan and will ensure that the card payments strategy is fully aligned with the recommendations, timelines and roadmaps contained within this plan.

 

Outlook

It’s already been a busy year for payments, with major developments across regulation, technology, and industry collaboration. As we look ahead to the second half of 2025, SPA is focused on its contributions to European and international standardization efforts in the payments industry.

SPA is fully committed to successfully continuing this ongoing work, strengthening our collective voice, extending our influence, and opening up new opportunities for our members.

Best regards
Andreas Strobel
President
Smart Payment Association