Payments | Crypto
Sanctions and (digital) payment services: Closing the backdoors to Russia
With Regulation (EU) 2025/2033, the EU has broadened its restrictive framework by extending sanctions beyond crypto-asset services to a defined set of payment and electronic money services. The framework constructs targeted prohibitions around specific regulated services identified by reference to PSD2 and EMD2, treating crypto-assets as functionally equivalent channels of value transfer subject to the same constraints as traditional payment infrastructures.
· 3 min
markdown
---
title: "Sanctions and digital payment services: Closing the backdoors to Russia"
series: regulatory-catalyst
jurisdiction: EU
verticals:
- Payments
- Crypto
signalstrength: breaking
instrument: "Regulation EU 2025/2033"
status: published
date: 2026-04-20
summary: "The EU has extended its Russia sanctions framework to cover a defined set of payment and electronic money services alongside crypto-asset services, treating both as functionally equivalent channels of value transfer subject to the same prohibitions."
---
Sanctions and digital payment services: Closing the backdoors to Russia
The European Union has extended its Russia sanctions architecture to cover regulated payment and electronic money services through Regulation EU 2025/2033https://www.dlapiper.com/en-kr/insights/publications/innovation-law-insights/2026/innovation-law-insights-20-april-2026. The move closes a structural gap that had left payment institutions and e-money institutions outside the explicit scope of restrictions that already applied to crypto-asset service providers. For firms operating under PSD2 or EMD2 authorisations, this is not a policy signal to monitor at a distance. It is a live compliance obligation.
What the Regulation does
Regulation EU 2025/2033 extends the EU's existing Russia restrictive measures by adding a defined set of payment services and electronic money services to the categories of activity that are now subject to targeted prohibitions. The services in scope are identified by direct reference to the regulatory definitions in the Payment Services Directive PSD2 and the Electronic Money Directive EMD2, anchoring the sanctions perimeter to the same taxonomy that payment supervisors already use.
Crypto-asset services were brought within comparable restrictions in earlier rounds of EU sanctions packages. The new regulation treats crypto-assets and regulated payment infrastructure as functionally equivalent channels for transferring value, and applies the same logic to both. The effect is to remove the asymmetry where a transfer routed through a crypto-asset service provider was caught by sanctions rules while a structurally similar transfer routed through a licensed payment institution was not.
What is actually new
The substantive novelty is the explicit extension of prohibitions to PSD2 and EMD2 services as a named category. Prior iterations of the EU Russia sanctions framework addressed financial institutions broadly and captured payment activity through general financial services restrictions, but did not apply targeted prohibitions calibrated specifically to the payment and e-money service taxonomy.
By drafting the new prohibitions around the PSD2/EMD2 service definitions, the regulation creates a compliance hook that maps directly onto the licences that payment institutions and e-money institutions already hold. Firms know which services they are authorised to provide. They can now read that authorisation list against the sanctions perimeter with reasonable precision.
The functional equivalence treatment of crypto-assets is also a consolidation of intent. The EU is signalling that the channel of transfer does not determine whether a restriction applies. Whether value moves through a traditional payment rail, an e-money account, or a crypto-asset transfer, the same prohibitions attach where the relevant Russia-connected parties or purposes are involved.
Who is affected first
Payment institutions and e-money institutions authorised under PSD2 and EMD2 are the primary new entrants into explicit scope. That includes firms providing payment initiation services, account information services, card-based payment instruments, money remittance, and e-money issuance across EU member states, whether operating under a full licence or a passport.
Crypto-asset service providers were already within the sanctions framework and are not newly captured, but the alignment of the two regimes means that firms operating across both verticals now face a consolidated set of obligations rather than two parallel but asymmetric rulesets.
Third-country payment firms accessing EU markets through correspondent arrangements or agent networks also need to assess the read-across. Where an EU-licensed institution is the counterparty or settlement layer, the prohibitions flow through that relationship.
The regulatory logic behind the design
The PSD2/EMD2 definitional anchoring is a deliberate drafting choice with practical consequences. It means the sanctions perimeter is not defined by a broad reference to financial services but by a specific, supervised licence category. Competent authorities responsible for payment supervision are the natural enforcement counterparts, and the crossover between the sanctions framework and the supervisory relationship becomes more direct.
This approach also reflects how payment services have evolved as an evasion risk. As correspondent banking restrictions tightened around Russia-connected flows, regulated payment institutions and e-money issuers became structurally more relevant as alternative transfer channels. The regulation addresses that substitution effect directly.
The functional equivalence treatment of crypto-assets reinforces a principle that has been building across EU financial regulation: that activity-based regulation should not be circumvented by choosing a newer technological form. MiCA established that principle for market conduct. Sanctions regulation is now applying the same logic to restrictive measures.
Operational implications for payment firms
Firms need to map their PSD2/EMD2 service categories against the specific prohibitions in Regulation EU 2025/2033. The regulation's definitional precision is an advantage here. The question is not whether a firm is a financial institution in the general sense but whether it provides a specific service type that now falls within the named prohibitions.
Transaction screening and customer due diligence processes need to be calibrated to the new perimeter. Firms that built their sanctions screening around pre-existing restrictions on financial institutions should not assume that existing controls automatically capture the new targeted prohibitions. The service-specific framing may require additional screening logic.
Correspondent and agency relationships require review where any party in the chain has Russia-connected exposure. The extension of prohibitions to PSD2/EMD2 services means that facilitation through a licensed payment institution is itself within scope, not merely the underlying transfer.
For firms with both payment and crypto-asset operations, the consolidation of the two regimes under equivalent prohibitions simplifies the conceptual framework but requires a unified compliance approach. Running parallel sanctions programmes calibrated to different rules for functionally similar activities creates gap risk.
What remains open
The regulation establishes the perimeter but enforcement patterns and supervisory expectations around implementation will develop over time. It is not yet clear how payment supervisors across EU member states will coordinate with sanctions enforcement authorities on examination and enforcement. The crossover between prudential and sanctions supervision is an operational question that competent authorities will need to address in practice.
Derogation and licensing processes for transactions that would otherwise be prohibited also require attention. Firms will need to understand the available derogation routes under the regulation and the competent authority responsible for granting them, which varies by member state.
The treatment of legacy contractual obligations and payment instructions in-flight at the time the regulation entered into force is a practical question that may require clarification through guidance or supervisory communication.
What to watch
The European Commission and member state competent authorities are expected to publish implementation guidance as firms begin applying the new requirements. Payment supervisors, including the EBA in its cross-border coordination role, may issue statements on how sanctions compliance expectations interact with PSD2 supervisory obligations.
Enforcement actions under the extended perimeter will be the clearest signal of how broadly authorities interpret the new prohibitions in practice, particularly around correspondent and agency chain liability.
Further extensions of the Russia sanctions framework remain possible. The functional equivalence logic applied in Regulation EU 2025/2033 could support future rounds that address other digital asset categories or payment infrastructure types not currently named in the PSD2/EMD2 taxonomy, including services that fall under MiCA but were not previously captured by crypto-asset service restrictions.
Sources
- DLA Piper Innovation Law Insights, 20 April 2026 — analysis of Regulation EU 2025/2033https://www.dlapiper.com/en-kr/insights/publications/innovation-law-insights/2026/innovation-law-insights-20-april-2026
- Regulation EU 2025/2033 — EUR-Lex Official Journalhttps://eur-lex.europa.eu/search.html?query=2025%2F2033&scope=EURLEX&lang=en&type=quick
- Council Regulation EU No 833/2014 — consolidated Russia restrictive measures frameworkhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014R0833
- Directive 2015/2366/EU PSD2 — service taxonomy referenced in the regulationhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366
- Directive 2009/110/EC EMD2 — e-money definition referenced in the regulationhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0110