CCD2, the EU's revised Consumer Credit Directive, is the biggest overhaul of European consumer credit regulation in 15 years. But much of what it codifies is already in force across several Member States, and the area where it changes operational reality is narrower than the directive's scope might suggest.
For the full background, including the six-year regulatory process and the Commission's diagnosis of CCD1, see this CCD2 explainer.
What CCD2 changes, briefly
CCD2 (Directive (EU) 2023/2225) replaces the 2008 framework. The substantive changes fall into four areas.
The scope of regulated credit broadens. The €200 lower threshold is removed and the upper limit rises from €75,000 to €100,000. BNPL, deferred debit cards, certain overdrafts, leasing with purchase options, and crowdfunding credit services are now explicitly covered. Member States retain discretion to apply a lighter regime to very small or short-duration credit, but the default position is that these products are regulated.
Article 18 carries forward the creditworthiness assessment obligation from CCD1 Article 8 but adds substance to it. Lenders must consider a defined set of information categories. The assessment must be proportionate to the credit being offered, and credit can only be extended when the assessment is positive, with narrow exceptions for student loans and healthcare-related credit.
Authorisation requirements tighten. All creditors and credit intermediaries must go through admission, registration, and supervision by an independent competent authority. Credit institutions and authorised payment or e-money institutions are carved out, but many BNPL providers will now need a licence where they previously operated under a payment-services framework or none at all.
The SECCI is replaced by a more concise pre-contractual form intended to be easier to read on mobile screens. Advertising rules tighten substantially, including a required warning beginning "Caution! Borrowing money costs money."
Where the obligation is already real
Creditworthiness assessment is not a new obligation across the EU. For substantial parts of the consumer credit market, it has been a real, supervised requirement for nearly a decade.
In the Czech Republic, non-bank lenders have been subject to a creditworthiness assessment obligation since 2016, actively supervised by the Czech National Bank. The Netherlands operates a comparable regime via BKR and AFM supervision. Germany has long required substantive assessment under BGB §505a and BaFin guidance. Several Nordic markets have had national frameworks in place for years.
For lenders in these markets, CCD2 is an incremental tightening of an existing regime. For lenders in lightly-transposed markets, and for BNPL providers everywhere, it is a much bigger shift. Which situation applies to you depends on where you operate, and the operational implications differ accordingly.
This country-by-country article covers the Member States that are furthest along in transposing CCD2.
November 2026 deadline
CCD2 is scheduled to apply in full from 20 November 2026, though there is real uncertainty about whether the date will hold.
Twenty-three of twenty-seven Member States missed the 20 November 2025 transposition deadline. In late 2025, Ecommerce Europe and several national industry associations formally asked the European Commission to extend the application date by one year, to 20 November 2027. So far, the Commission has not agreed.
There is precedent on both sides. NIS2 faced similar slippage without any formal extension. In April 2025, CSRD and CSDDD got a "stop-the-clock" postponement instead.
Plan around November 2026, but keep contingency for slippage. The regulatory direction is fixed even if the timing isn't.
Article 18 in practice
The biggest day-to-day change is Article 18. Under CCD1 the obligation was procedural: perform an assessment. Under CCD2 it is substantive. The assessment must be based on verified financial data and held to documentation standards that survive audit, proportionate to the size and risk of the credit being offered.
The depth of the assessment scales with the credit. For anything beyond a very small short-term loan, the assessment has to verify income, weigh it against existing commitments, and look for signs of financial stress.
The question for lenders is where this data comes from and whether it holds up under scrutiny. Bureau data, declared income, and document upload remain valid inputs but have known gaps. Transaction data accessed via open banking under PSD2 shows actual financial behaviour: how money flows in and out, and the risk signals behind it. It is the data category that lines up most cleanly with what Article 18 asks for.
Raw transaction data needs significant enrichment before it is fit for that purpose. Bank-issued descriptions are inconsistent and MCC codes are broad where they exist at all. Miscategorised income or missed liabilities produce assessments that are hard to defend in an audit. What was an operational nuisance under CCD1 becomes a compliance question under CCD2's documentation and auditability requirements. Tapix is built to close that enrichment gap, but the harder question for most teams is whether the data feeding their affordability model would hold up to a regulator.
