The EU's revised Consumer Credit Directive (CCD2) is the biggest overhaul of consumer credit regulation in Europe in 15 years. Most coverage skips straight to the compliance checklist: new scope, creditworthiness requirements, deadline in November 2026. That framing is incomplete, and for some readers actively misleading.
CCD2 didn't appear out of nowhere. It is the product of a six-year regulatory process, built on a documented diagnosis of weaknesses the 2008 framework showed. The requirements it introduces are new for some markets but already business-as-usual in others. And the headline application date (20 November 2026) is more of a working assumption than a settled certainty.
This article walks through what CCD2 actually is, why the EU concluded that CCD1 needed replacing, and what the practical implications are for lenders and BNPL providers. The compliance focus at the end is on creditworthiness assessment, because that is the area where data infrastructure becomes a regulatory question.
Why is EU replacing CCD1
The 2008 Consumer Credit Directive (Directive 2008/48/EC, "CCD1") was drafted in a different world - one in which online lending was a niche, and "buy now, pay later" as a category did not meaningfully exist outside of catalogue retail. The directive harmonised core elements of consumer credit law across the EU and set the foundation for a single market in consumer lending. But the European Commission included a review of CCD1 in its 2020 work programme as part of its New Consumer Agenda. The review concluded that CCD1 had been "only partially effective" in ensuring a high level of consumer protection, and identified several distinct categories of problem:
Scope gaps: CCD1 excluded products that had become commercially significant - BNPL, zero-interest short-term credit, certain leasing arrangements, peer-to-peer lending, and crowdfunding credit. It also excluded loans below €200 entirely. In practice, small loans turn out to be disproportionately used by financially vulnerable consumers, are often offered as high-cost credit such as payday loans, and carry effective APRs that can be an order of magnitude higher than larger loans because fixed origination costs are spread over a smaller principal.
Imprecise wording leading to fragmentation: Several CCD1 provisions used language that left significant room for national interpretation. Member States used this flexibility, and the result was a patchwork of working and not-so-well-working solutions.
Weak responsible-lending mechanisms: CCD1 Article 8 required lenders to perform a creditworthiness assessment, but it did not specify what to do with the result. A lender could conduct an assessment, conclude the borrower was unlikely to repay, and still extend credit without breaching the directive. The directive also offered limited guidance on what "sufficient information" actually meant.
Add to this a structural shift in consumer behaviour: post-2020 inflation and economic uncertainty pushed more consumers toward small-ticket, short-duration credit. BNPL became a default checkout option at many online retailers. The volume of credit decisions occurring outside the CCD1 perimeter grew substantially.
CCD2 is the response to that diagnosis. Its dual objective, stated explicitly in the recitals, is to balance the benefits of digitalisation against the risks of irresponsible lending in online customer journeys, and to deepen harmonisation so that the single market in consumer credit can finally function.
For a deeper look at how payment data enrichment addresses these challenges in open banking, see our article Payment Data Enrichment in Open Banking
What CCD2 actually changes
Scope expansion in both directions: The lower threshold of €200 is removed, bringing small-value loans and interest-free instalments into the perimeter. The upper limit rises from €75,000 to €100,000. BNPL, deferred debit cards, certain overdrafts, leasing with purchase options, and crowdfunding credit services are all explicitly covered. There is a discretionary "lighter regime" available to Member States for very small (under €200), zero-interest, or sub-three-month credit - but the default position is that these products are now regulated.
Creditworthiness assessment: CCD2 Article 18 keeps the assessment obligation from CCD1 Article 8 but adds three things CCD1 lacked - an explicit list of information categories the assessment must consider (income, expenses, existing liabilities, resilience to financial shocks); a requirement that the assessment be proportionate to the nature, duration, value, and risk of the credit; and a rule that credit can in principle only be extended where the assessment is positive, with narrow exceptions (such as student loans or healthcare-related credit). Assessments must be documented, consistent, and auditable.
Authorisation and supervision: All creditors and credit intermediaries must be subject to an adequate admission process, registration, and supervision by an independent competent authority. Credit institutions and authorised payment or e-money institutions are carved out under existing prudential regimes, but the practical effect for many BNPL providers is that they now need a licence where previously they operated under a payment-services framework or none at all.
Information and advertising rules adapted for digital: The SECCI is replaced by a shorter, one-page Standard European Consumer Credit Information form designed for mobile screens. Advertising rules tighten substantially, including a required warning that "borrowing money costs money."
A critical caveat: this is not all new
A point that a lot of CCD2 coverage gets wrong, including some industry publications, is the implication that creditworthiness assessment becomes a real obligation only in November 2026. For substantial parts of the EU consumer credit market, it has been a real obligation for nearly a decade.
In the Czech Republic, non-bank consumer credit providers have been subject to a creditworthiness assessment obligation since the entry into force of Act No. 257/2016 Sb. on Consumer Credit (the national transposition of CCD1), and the Czech National Bank has actively supervised compliance with this obligation. The CNB's published expectations on creditworthiness assessment already cover most of what CCD2 codifies at EU level: documented assessment, consideration of income and existing obligations, proportionality, and the requirement that credit not be extended where the assessment is negative.
The Netherlands operates a comparable regime via the BKR registration requirement and AFM supervision. Germany has long required substantive creditworthiness assessment under BGB §505a and BaFin guidance. Several Nordic markets have had robust national frameworks in place for years.
For lenders in these markets, CCD2 is an incremental tightening and a clarification of the harmonised baseline. For lenders in markets where CCD1 was transposed lightly, and for BNPL providers across all markets, CCD2 is a substantially different regime. Anyone reading a CCD2 article should be clear which of these two situations applies to them, because the operational implications are very different.
On the 2026 application date
CCD2 is scheduled to apply in full from 20 November 2026. It is more accurate to describe this date as the current working timeline, with meaningful uncertainty about whether it will hold for all EU members.
Twenty-three of twenty-seven Member States missed the 20 November 2025 transposition deadline (meaning defined principles how the directive will be transposed into the local legislation). By any standard this is substantial slippage. Not a handful of stragglers but the overwhelming majority of the EU. In November 2025, E-commerce Europe and several national industry associations formally wrote to the European Commission asking that the application date be extended by one year, to 20 November 2027, to give Member States and businesses time to implement properly. The Commission has not, at the time of writing, agreed to that extension.
There is historical precedent on both sides. The NIS2 cybersecurity directive faced a similar pattern: a transposition deadline that the majority of Member States missed, infringement proceedings against 23 countries, and continued slippage well past the deadline - but the application date was not formally extended. By contrast, the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD) were both subject to a formal "stop-the-clock" procedure earlier this year, with timelines pushed out by one to two years.
For lenders and BNPL providers, the strategic posture should be straightforward: treat 20 November 2026 as the working deadline, but plan for the possibility that it slips. The regulatory direction is already settled while we wait for the exact application date.
Where this lands for creditworthiness assessment
The substantive area where CCD2 changes operational reality most directly is the creditworthiness assessment regime under Article 18. The shift is from a procedural obligation ("you must perform an assessment") to a substantive one ("the assessment must be based on verified, factual financial data, proportionate to the credit being offered, documented, auditable, and capable of producing a determinate output").
The proportionality principle matters here. A €500 short-term BNPL repayment plan does not require the same depth of analysis as a €40,000 personal loan; the directive explicitly says so. But for credit at any meaningful size, the assessment has to capture income (including its stability and composition), existing liabilities, recurring committed expenditure, and indicators of financial stress or risk behaviour. The European Banking Authority's Guidelines on Loan Origination and Monitoring provide the general framework; national competent authorities will continue to interpret and adapt these guidelines to their markets.
The practical question for lenders is where this data comes from and whether it is reliable enough to support a regulatory decision.
Traditional inputs: bureau data, declared income, and document upload remain valid but have known gaps. Bureau coverage varies substantially across the EU and is particularly thin for younger consumers and gig-economy income. Declared income is self-reported. Document upload introduces friction and creates verification costs.
Transaction data: accessed via open banking under PSD2 offers a direct view of actual financial behaviour - real income flows, real recurring expenses, real existing debt servicing, real risk signals like gambling spend or payday loan dependency. This is the data category that maps most directly onto the categories Article 18 requires lenders to consider.
The complication is that raw transaction data is unfit for purpose without significant enrichment. Bank-issued transaction descriptions are inconsistent, cryptic, and frequently meaningless: the same coffee shop might appear as "SQ *COSTA COFFEE 1234", "COSTA C LON GB", or "POS PURCHASE 08/04" depending on the bank, the acquirer, and the card network. Merchant Category Codes are not consistently passed through in open banking feeds and, where present, are often too coarse: MCC 6012 covers everything from a mainstream consumer finance subsidiary to a payday lender to a crypto exchange.
Under CCD1, this data quality problem was an operational nuisance. Under CCD2's documentation and auditability requirements, it becomes a compliance question. A creditworthiness assessment built on unreliable categorisation, miscategorised income, or missed liabilities is harder to defend if a regulator examines the decision file.
How Tapix helps
Tapix specialises in transforming raw transaction data into the structured, categorised, verified format that creditworthiness assessment under CCD2 requires. Where standard open banking feeds expose only the transaction description, and where core banking data adds MCC codes, Tapix layers in cross-validated merchant identity, granular categorisation, income detection (separating stable employment income from social benefits, freelance flows, and irregular streams), recurring expense identification (rent, utilities, subscriptions, loan repayments, tax obligations), and risk signal extraction (gambling, payday loans, overdraft cycling, crypto activity).
The result is a data layer designed to map onto Article 18's substantive requirements: verified factual financial data, proportionate to the credit being offered, structured in a way that supports a defensible audit trail.
CCD2 raises the bar on what counts as a sufficient basis for a credit decision. For lenders and BNPL providers preparing for the new regime the underlying question is the same: is the data your affordability model runs on actually good enough to defend?
If you'd like to see how Tapix handles real transaction data against CCD2 requirements, get in touch.
