CCD2 Explained: What Lenders, BNPL Providers, and Fintech Companies Need to Know

CCD2 is the EU's updated framework for consumer credit, and it comes into force in November 2026. It expands the regulatory perimeter significantly, bringing BNPL, embedded finance, and retailer instalment plans into scope for the first time. CCD2 also raises the bar on how creditworthiness assessments must be conducted and documented. This FAQ covers what the directive means in practice, who it applies to, and what role open banking data plays in meeting its requirements.

What is the Consumer Credit Directive 2 (CCD2)?

CCD2 is a European directive that updates and expands the original Consumer Credit Directive, which came into effect in 2008. It strengthens the rules around how lenders assess creditworthiness, what information they must provide to consumers before entering into a credit agreement, and which credit products fall under regulatory oversight. The most significant change is the scope. CCD2 introduces credit types that have grown enormously in popularity since 2008 but have sat largely outside the original framework, most notably BNPL, retailer instalment plans, and embedded credit at e-commerce checkouts.

How does CCD2 differ from the original Consumer Credit Directive?

CCD2 makes two significant changes. First, it expands the scope to encompass BNPL, interest-free instalments, and microcredit below €200 within the regulatory perimeter for the first time. Second, it raises the evidentiary bar on creditworthiness assessments, requiring lenders to assess affordability from the consumer's perspective rather than just their own risk exposure, and to base that assessment on documented, verifiable evidence of income, expenditure, and existing liabilities. For lenders already operating under the original directive, the direction of travel is familiar, but the expectations around documentation and traceability are meaningfully higher.

Which lenders does CCD2 apply to?

CCD2 applies to any business in the EU that extends credit or allows customers to pay in instalments, regardless of whether credit is their primary business. Traditional banks and lenders were already covered under the original directive. The significant expansion is to players that weren't: BNPL providers, retailers offering instalment plans, e-commerce platforms with embedded credit at checkout, digital lenders, neobanks, and providers offering device financing on instalments. Leasing companies are in scope where their agreements include an option or obligation to purchase at the end of the term; pure rental agreements without a purchase option are excluded. Direct suppliers offering short-term, interest-free deferred payment without a third-party lender are also excluded, provided payment is completed within 50 days, or 14 days for large e-commerce platforms.

What types of credit products are covered under CCD2?

CCD2 covers a broad range of consumer credit products, including personal loans, car loans, credit cards, overdrafts, and revolving credit overdraft facilities. Significantly, it extends coverage to products that were previously outside the scope of the original directive, including BNPL services, interest-free instalments, short-term credit below €200, and embedded finance products offered by non-bank providers such as retailers, fintechs, and telecom companies offering device financing.

Does CCD2 apply to BNPL (Buy Now Pay Later) products?

Yes. This is one of the most significant changes CCD2 introduces. BNPL products were largely outside the scope of the original directive, which allowed providers to operate without conducting formal creditworthiness assessments or providing standardised pre-contractual information. CCD2 explicitly brings BNPL and interest-free instalment products into scope, including loans below €200. BNPL providers must now assess affordability, document their decisions, and provide consumers with clear information before an agreement is concluded, the same standard that applies to traditional consumer lenders.

How does CCD2 define creditworthiness?

CCD2 requires that creditworthiness assessments be thorough, conducted in the interest of the consumer, and based on necessary and relevant information about income, expenses, and other financial and economic circumstances. Critically, the assessment must be proportional to the nature, duration, and value of the credit, and must consider whether the consumer can meet their obligations without undermining their ability to maintain a reasonable standard of living. The information used must be current, verifiable, and, where necessary, supported by independently verifiable documentation. Lenders must also document and maintain both their assessment procedures and the information they relied on, meaning the evidentiary trail matters as much as the decision itself.

How does CCD2 affect creditworthiness assessments?

CCD2 raises the evidentiary bar significantly. Lenders must now demonstrate that a credit decision was grounded in documented, traceable evidence of a consumer's income, expenditure, and existing liabilities, and critically, the assessment must consider affordability from the consumer's perspective, not just the lender's risk exposure. Lenders must be able to show that the credit is sustainable and does not undermine the consumer's ability to maintain a reasonable standard of living. For a deeper look at what this means for your data infrastructure.

What are the new rules for creditworthiness assessments under CCD2?

CCD2 fundamentally reshapes creditworthiness assessments by shifting the focus from the lender's risk exposure to the consumer's true affordability. Assessments must be thorough, conducted in the consumer's interest, and based on necessary, relevant, and accurate information about income, expenses, and existing financial liabilities, verified where necessary through independently verifiable documentation. Lenders are expressly prohibited from using health data or information scraped from social networks. Where automated processing is used, consumers have the right to request human intervention and a clear explanation of the decision. Critically, lenders must formally document and maintain both their assessment procedures and the data they relied on, meaning the evidentiary trail is now a regulatory requirement in itself, not just good practice.

What data can lenders use to assess borrowers under CCD2?

CCD2 requires that creditworthiness assessments be based on necessary, relevant, and reliable information. This can include data from credit bureaus and credit registers, self-declared information from the applicant, and financial data obtained directly from bank accounts via open banking. The directive emphasises that the information must be current and verifiable. Open banking data is particularly well-suited to meeting this standard as it provides a real-time view of income, expenditure, and existing financial commitments at the point of application, complementing traditional credit data. In an interview with UC, they mentioned that a client combining UC's conventional credit data with open banking data saw up to 30% lower credit risk in its portfolio, thanks to improved assessment accuracy and reduced uncertainty, exactly the kind of traceable documentation of repayment capacity that CCD2 is asking for.

How does CCD2 interact with PSD2 and PSD3?

CCD2 and PSD2 are two sides of the same coin. PSD2 created the mechanism to access real-time bank data with consumer consent via open banking. CCD2 creates the obligation to conduct thorough, documented affordability assessments. Together they form a natural pairing: PSD2 provides the data access infrastructure, and CCD2 creates the regulatory demand for exactly that kind of current, verifiable financial data. PSD3, which is still progressing through the EU legislative process, is expected to strengthen and further standardise open banking data access across Europe, addressing some of the inconsistencies in how PSD2 has been implemented across member states, which would make the data layer underpinning CCD2 compliance more reliable and consistent.

What are the open banking requirements under CCD2?

CCD2 does not explicitly mandate the use of open banking data, but it does require that creditworthiness assessments are based on necessary, relevant, and current information that is appropriately verified. In practice, open banking data accessed via PSD2 is the most direct way to meet this requirement, providing real-time access to transaction history, including income flows, outgoing payments, and existing financial commitments at the point of application. From this data, lenders and their technology partners can verify income, identify recurring expense patterns, and assess overall affordability. Sweden's proposed framework is already reflecting this direction, moving toward requiring documented, verifiable evidence of income and expenditure that aligns naturally with what open banking data delivers.

Can open banking data be used for CCD2 creditworthiness assessments?

Open banking data is uniquely well-suited to CCD2's requirements because it is real-time, verified, and traceable, the three things the directive is exactly asking for. When a lender pulls bank account data via PSD2, they are seeing at least 12 months of transaction history, income flows, outgoing payments, and existing financial commitments. All of which can be used to verify income, assess recurring expenses, and identify signs of financial strain. That is a fundamentally more accurate picture than self-reported information or historical credit data alone. 

How should fintech lenders and neobanks prepare for CCD2?

Preparation for CCD2 operates on two levels. At the policy level, lenders need to review which of their products are newly in scope, update their creditworthiness assessment frameworks, and ensure their pre-contractual disclosure processes meet the directive's transparency requirements.

At the infrastructure level, and this is the part that tends to get less attention, lenders need to ensure they can reliably access, verify, and document the financial data that underpins those assessments. That means having a data layer that delivers consistent, harmonised bank account data across every market they operate in, with active monitoring of live integrations and full traceability of every data fetch. For fintechs operating across multiple European markets, this is not a problem that can be solved market by market; the overhead compounds too quickly.

Explore More: