Agentic Commerce technology and gaps across US and Europe

Agentic commerce refers to commercial transactions in which an autonomous software agent — acting within parameters set by a principal — identifies goods or services, negotiates terms, initiates payment, and in some architectures manages post-purchase logistics, without requiring transaction-level human authorisation at each step. The agent operates on delegated authority: the human sets scope, budget, and preference constraints in advance, and the agent executes within those constraints.

The concept is not new. Agent-based e-commerce was theorised and partially implemented in the late 1990s, when researchers constructed XML-based negotiation frameworks [12], analysed the economic implications of automated market participation [15], and developed coalition-formation algorithms for agent-mediated procurement [14]. That generation of systems stalled on network adoption, the absence of interoperable identity standards, and the legal non-recognition of software agents as transaction parties [16]. Fasli [16] identified trust, security, and legal recognition as interlocking barriers — none of them purely technical — and that framing remains accurate. What has changed is the substrate: large language models now give agents the capacity to interpret unstructured product catalogues, draft negotiation responses in natural language, and adapt to novel transaction contexts without explicit rule encoding. The barriers that stalled the first wave were distributed across technical, legal, and institutional dimensions, and the same three dimensions constrain the current wave, though the balance among them has shifted. LLM capability has largely removed the reasoning and language-interpretation constraints; the remaining barriers are predominantly regulatory and institutional.

The transatlantic divide in this context is not simply a matter of regulatory lag between a faster-moving US market and a more cautious European legislative process. The divergence is structural. The European Union has built, through PSD2, GDPR, and NIS2 and is reinforcing through the EU AI Act, a dense regulatory lattice that prescribes how identity is established, how consent is captured and scoped, how data is processed, and how algorithmic systems are assessed for conformity before deployment. The United States has, by contrast, produced a fragmented set of sector-specific regulations, a market-led security standard in PCI-DSS, and a litigation-anchored consumer protection system. Neither architecture was designed with autonomous payment-initiating agents in mind.

The consequence is that both jurisdictions are adapting existing frameworks to a use case those frameworks do not cleanly address. In Europe, PSD2 permits delegated payment initiation through licensed third-party providers, but its Strong Customer Authentication (SCA) requirement was written for human authentication events — a design assumption that autonomous agents break structurally. In the United States, card network rules and UCC provisions govern consumer authorisation but contain no explicit treatment of standing agent delegation across multiple undetermined future transactions.

This paper contributes a structured comparative analysis of that divergence across three dimensions. First, it maps the regulatory gaps each jurisdiction must close to permit agentic commerce at scale. Second, it characterises the technical capability asymmetries — in payment rails, agent identity infrastructure, and security standardisation — that constrain deployment independent of regulation. Third, it assesses market adoption maturity: where agentic commerce deployments exist, how mature they are, and what the adoption trajectory looks like in each region.

The analysis proceeds as follows. Section 2 establishes why the fragmentation matters commercially and competitively. Section 3 positions this work against prior literature. Section 4 describes the comparative methodology. Section 5 presents the findings across regulatory, technical, and market dimensions. Section 6 interprets those findings in terms of mechanism, path dependency, and downstream effect. Section 7 synthesises a claim about trajectory and the levers that determine outcome. Supporting detail appears in the Limitations and Future Work sections.

The commercial stakes of regulatory divergence in agentic commerce are not symmetrically distributed between incumbents and entrants, or between the two jurisdictions. They fall heaviest on three groups: enterprises deploying agentic procurement at scale, payment service providers seeking to intermediate agentic transaction flows, and regulators whose supervisory frameworks were not designed to account for non-human transaction initiators.

Enterprises deploying agentic procurement at scale face an immediate cost of fragmentation in the form of duplicate compliance architecture. A firm deploying an autonomous procurement agent across US and EU supply chains must satisfy PCI-DSS and card-network stored-credential rules on one side, and PSD2 SCA exemption logic, GDPR data-minimisation requirements, and NIS2 incident reporting obligations on the other. These are not merely additive costs; they impose design constraints that conflict at the agent-architecture level. PSD2 SCA, for example, requires that strong authentication be performed by the payment service user — the human account holder — at transaction initiation. An agent that initiates payment autonomously satisfies neither the possession nor the inherence factors of the authentication triad in any straightforward way. The workaround — pre-authorising a standing delegation token — has no standardised European form, requiring enterprises to negotiate bespoke arrangements with each payment service provider.

Payment service providers building agent-compatible infrastructure face suppressed network investment returns as a direct consequence of that fragmentation. Payment infrastructure exhibits network externalities: the value of a given rail increases as more participants connect to it [6]. But network investment decisions are sensitive to regulatory certainty. A payment service provider building agent-compatible APIs — capable of receiving a structured delegation scope, verifying agent identity, and processing transactions without per-transaction human authentication — will discount the expected return on that investment if the regulatory treatment of the delegation token is unresolved. The EU's open banking infrastructure, built under PSD2, is further along in API standardisation than its US counterpart, but the SCA design tension means that European open banking APIs are not natively compatible with autonomous delegation without regulatory clarification that has not yet arrived.

Regulators in both jurisdictions face a supervisory gap with direct consumer protection implications. When an autonomous agent initiates a transaction, the chain of liability — from agent to principal to payment service provider to merchant — is not fully established under either jurisdiction's consumer protection law. Under the EU Consumer Rights Directive, the right of withdrawal attaches to the consumer as a natural person; the directive is silent on transactions initiated by an agent acting within consumer-set parameters. Under US consumer protection law, the Regulation E framework for electronic fund transfers was written for human-initiated transactions and does not explicitly allocate liability when an autonomous agent executes a transfer the consumer later disputes as outside the agent's intended scope.

The competitive asymmetry that follows from this fragmentation is directional. US-domiciled agentic commerce platforms operating under private contractual delegation can deploy faster, accumulate transaction volume, and establish the network-effect advantages that make later displacement costly [6]. European platforms constrained by compliance overhead will deploy later, at lower initial volume. The risk is structurally similar to the dynamic in which PCI-DSS became the de-facto global security standard for card payments before European regulators had produced a statutory equivalent — not because it was technically superior, but because it preceded the regulatory alternative and attracted network adherence first.

The literature relevant to this analysis spans four bodies of work: early agent-based e-commerce research, digital transformation scholarship, AI governance and consumer trust studies, and financial services regulation analysis.

Agent-based e-commerce foundations

The first generation of agent commerce research established the architectural and economic premises that contemporary agentic commerce inherits. Glushko, Tenenbaum, and Meltzer [12] proposed XML-based frameworks for structuring machine-to-machine commercial negotiation, identifying the interoperability problem — the need for shared ontologies across heterogeneous marketplaces — that remains unresolved in LLM-agent deployments. Sandholm [14] formalised coalition-formation and automated negotiation algorithms, demonstrating that agents could achieve near-optimal outcomes in procurement auctions under specified conditions. Vulkan [15] analysed the macroeconomic implications of widespread agent market participation, noting that agent-mediated markets tend toward price convergence and reduced search costs, but may also concentrate volume at dominant platforms. Fasli [13, 16] provided the most direct precursor to the present analysis, identifying trust, security, and legal recognition as the three interlocking barriers to agent commerce adoption — a framing that the current regulatory landscape has not superseded. The specific concern raised in [16] — that software agents lack legal personhood and therefore cannot be parties to contracts, creating unresolved liability when agent behaviour diverges from principal intent — remains a live gap under both US and EU law.

Digital transformation and institutional change

Verhoef et al. [1] and Hanelt et al. [4] provide the broader organisational context within which agentic commerce adoption occurs. Both works identify regulatory environment as a primary determinant of digital transformation velocity, with Hanelt et al. [4] specifically noting that malleable organisational designs — those capable of reconfiguring around new technology constraints — advance transformation faster than rigid hierarchies. The implication for agentic commerce is that enterprises with modular payment and procurement architectures will absorb agent integration more readily, but the regulatory ceiling they encounter is determined by their operating jurisdiction, not their internal architecture.

Acemoglu, Johnson, and Robinson [5], while operating at a macro-institutional level, supply the conceptual grounding for the path-dependency argument: institutional frameworks that reward early adoption of a given technology tend to produce durable lock-in, even when later alternatives are technically superior. Applied to agentic commerce, this supports the prediction that whichever jurisdiction first establishes a workable compliance pathway will attract disproportionate platform investment.

Consumer trust and AI acceptance

Puntoni et al. [7] document the experiential dimensions of consumer AI interaction, identifying conditions under which consumers attribute agency and responsibility to automated systems. Wang and Benbasat [11] examined trust attribution specifically in e-commerce recommendation agents, finding that consumers distinguish between competence-based trust — confidence that the agent will identify the optimal product — and integrity-based trust — confidence that the agent acts in the consumer's interest rather than the platform's. The distinction matters for agentic commerce: a consumer delegating purchasing authority requires integrity-based trust at a level substantially higher than the competence-based trust sufficient for a recommendation. Belanche et al. [9] extended this framework to service robots, finding that trust formation mechanisms are sensitive to prior experience with automation, which suggests that US consumers' longer exposure to algorithmic commerce may produce higher baseline delegation tolerance than European consumers — though this remains empirically unconfirmed for the agentic payment context specifically.

AI governance and financial inclusion

Dwivedi et al. [2] map the policy implications of generative AI across research and practice, noting that governance frameworks are lagging deployment in both jurisdictions. Mhlanga [10] analyses AI's role in financial inclusion, identifying the tension between AI's capacity to extend services to underbanked populations and the risk that opaque automated decision-making entrenches exclusion. This tension is structurally present in agentic commerce: agents optimising for efficiency will route transactions through channels that minimise cost, which may not be the channels available to lower-income consumers.

Contemporary agentic commerce research

Mao et al. [18] provide the most current systematic treatment of the security landscape for autonomous LLM agents in commerce, identifying a cross-layer attack surface spanning prompt injection, tool-call manipulation, and wallet compromise that no current security standard — PCI-DSS, ISO 27001, or NIS2 technical guidelines — was designed to address. This work is an arXiv preprint and has not yet completed formal peer review; the attack-surface taxonomy it presents is treated here as a current working framework rather than a settled empirical catalogue. Bharadwaj and Tu [17], also an arXiv preprint, report on a production deployment of agentic observability infrastructure, demonstrating measurable operational gains but within a single US enterprise context. Holgado-Sánchez et al. [19], likewise a preprint, address value-alignment learning through inverse reinforcement learning, a mechanism with direct relevance to ensuring that deployed agents act within principal-defined parameters — a governance requirement both jurisdictions will need to operationalise.

This paper differs from the prior literature in combining the regulatory mapping, technical capability analysis, and market maturity assessment into a single comparative framework, and in applying that framework specifically to the transatlantic context at the current moment of LLM-enabled agentic commerce deployment.

The analysis employs a structured comparative method across three analytical dimensions applied to two jurisdictions. The dimensions are: (1) regulatory architecture and gap identification, (2) technical capability and standards alignment, and (3) market adoption maturity. The jurisdictions are the United States and the European Union, treated as single regulatory units where supranational frameworks apply (EU-level regulation) and as federal/national aggregations where relevant sub-jurisdictional variation exists.

Analytical dimensions defined.

Regulatory architecture analysis proceeds by identifying the statutory and regulatory instruments in each jurisdiction that bear on the three core functions of agentic commerce: agent identity and authorisation, payment delegation and initiation, and liability attribution for agent-initiated transactions. For each instrument, the analysis asks whether the instrument was designed with autonomous agents in mind, whether its text admits an interpretation compatible with autonomous delegation, and what the residual gap is if it does not. The instruments examined include, for the EU: PSD2 and its implementing technical standards on SCA and common and secure open standards of communication (CSC); GDPR Article 22 (automated decision-making); NIS2 security requirements; and the EU AI Act's risk-classification and conformity-assessment provisions as they apply to AI systems in payment contexts. For the US: Regulation E (Electronic Fund Transfers), Regulation Z (Truth in Lending), card network stored-credential and delegated authentication frameworks, PCI-DSS version 4.0, and the Federal Trade Commission's unfair or deceptive acts or practices authority.

Technical capability analysis examines four infrastructure layers: payment rails and real-time settlement capability; open banking API standardisation; agent identity and credential management infrastructure; and published security standards specifically addressing autonomous agents. For each layer, the analysis characterises the current state in each jurisdiction, identifies the gap relative to what regulated agentic commerce requires, and assesses whether the gap is closable through technical standardisation alone or requires regulatory action.

Market adoption maturity draws on the published evidence base — production deployment reports, enterprise case studies, and market analyses — to characterise where agentic commerce deployments exist, what transaction volumes they process, and what adoption constraints they report. Given the sparsity of published European production data, this dimension necessarily relies more heavily on structural inference — from open banking API adoption rates, enterprise AI investment, and digital transformation maturity indicators — than on direct deployment measurement.

Assumptions and boundary conditions.

The analysis treats agentic commerce as encompassing three transaction types: autonomous retail purchasing (B2C agent acting on behalf of consumer), autonomous procurement (B2B agent acting on behalf of enterprise buyer), and autonomous service subscription management (agent managing recurring service authorisations). It excludes fully automated algorithmic trading and high-frequency financial market operations, which are governed by distinct regulatory regimes in both jurisdictions.

The analysis assumes that the relevant agentic architecture involves an LLM-based reasoning layer connected to structured tool calls for payment initiation — the architecture examined in [18] — rather than the rule-based negotiation agents studied in [12, 13, 14]. This is the architecturally relevant design for the current deployment generation, and its security and regulatory properties differ materially from prior-generation architectures.

The analysis does not assume regulatory equivalence across EU member states. Where national competent authority implementation of EU directives varies — as it does for PSD2 SCA exemption management — the analysis notes the variation but characterises the EU at the level of the directive and its European Banking Authority (EBA) regulatory technical standards.

Data sources and their limitations.

The analysis draws on the corpus of nineteen sources listed in the references. Primary regulatory texts are treated as authoritative. Academic and practitioner research is assessed for recency, methodological transparency, and geographic scope. Three sources in the corpus — [17], [18], and [19] — are arXiv preprints carrying 2026 dates and have not completed formal peer review; findings drawn from them are treated as current working frameworks rather than settled results, and the conclusions sections note this status where those findings bear on the analysis. The corpus contains a material asymmetry: published production performance data exists for one US enterprise deployment [17] and for no European deployments. This asymmetry is noted throughout the results and discussion sections, and its implications for inferential confidence are addressed in the Limitations section.

Table 1 summarises the regulatory gap assessment across the two jurisdictions for the three core agentic commerce functions. The narrative below develops each finding.

Regulatory Architecture: Gap Identification

Agent identity and authorisation.

In the EU, PSD2 establishes a licensed third-party provider (TPP) framework that requires any entity initiating a payment on a user's behalf to hold regulatory authorisation as either a Payment Initiation Service Provider (PISP) or Account Information Service Provider (AISP). The framework was designed for human-operated platforms — budgeting applications, payment aggregators — that act as intermediaries on a consumer's behalf with explicit per-session consent. An autonomous agent that initiates payments continuously within a standing delegation scope fits the PISP functional description but does not satisfy the per-transaction SCA requirement that the framework assumes.

To clarify the terminology used throughout this paper: PSD2's delegated-consent scaffolding refers to the TPP consent model — the regulatory architecture by which a consumer grants a licensed third party authority to initiate payments on their behalf. A standing delegation token refers to a credential or authorisation artefact that would encode the scope, duration, and parameters of an agent's delegated authority, allowing the agent to initiate payments across multiple future transactions without per-transaction human authentication. The standing delegation token does not currently exist as a standardised instrument in the EU regulatory framework; it represents the missing component that would need to be defined — either within the SCA regulatory technical standards or through a new layer of the PSD2 API specification — to translate PSD2's existing consent architecture into one capable of supporting autonomous agents. The two terms are therefore related hierarchically: the delegated-consent scaffolding is the existing framework, and the standing delegation token is the specific instrument that scaffolding would need to accommodate.

The EBA's regulatory technical standards on SCA specify that authentication must involve the user as a natural person; no provision exists for the user to delegate authentication authority to a software agent for an open-ended series of future transactions. The result is a functional identity gap: the agent is economically a payment initiator but legally unauthorised to complete authentication on the user's behalf. This gap is the specific point at which PSD2's structural advantage — the existence of a regulated, standardised consent framework — is currently blocked from producing deployment capability. The framework exists; the delegation instrument it requires does not.

In the US, no equivalent licensed-intermediary framework governs payment initiation on behalf of consumers. Card network rules permit merchants to store consumer credentials for recurring transactions under the stored-credential framework, which requires explicit consumer consent to a defined recurring charge. Autonomous agents operating under consumer-set spending parameters are closer to a standing authorisation for variable-amount transactions, a category that card network rules address incompletely and that Regulation E's error-resolution framework was not written to adjudicate.

Payment delegation and initiation.

Europe's open banking infrastructure, mandated under PSD2 and implemented through standardised APIs across major markets, provides a technically capable delegation scaffold — a consumer can grant a TPP access to initiate payments within defined parameters. The structural constraint is that the SCA requirement attaches to each initiation event rather than to the delegation grant, which defeats the autonomy premise of agentic commerce. The EU AI Act's conformity-assessment procedures for high-risk AI systems — which autonomous payment-initiating agents will likely meet, given their role in financial transactions — add a pre-deployment certification requirement that has no US equivalent.

The US lacks a mandated open banking API layer; data access and payment initiation rely on bilateral agreements between platforms and financial institutions, or on screen-scraping — a method that introduces both security vulnerabilities [18] and liability ambiguity. The absence of a mandated API layer means that agent integration is technically harder to standardise but contractually more flexible to scope.

Liability attribution.

Neither jurisdiction has established explicit liability rules for agent-initiated transactions that fall outside the agent's intended scope. In the EU, the Consumer Rights Directive's withdrawal rights and PSD2's unauthorised transaction refund obligations both assume a natural-person transaction originator. In the US, Regulation E's error-resolution procedures and card network chargeback rights similarly assume human initiation. The gap is not merely theoretical: an agent that misinterprets a preference parameter and initiates a purchase outside the consumer's actual intent creates a dispute that neither framework resolves with textual clarity.

Technical Capability: Asymmetries by Layer

Payment rails. The EU's SEPA Instant Credit Transfer scheme, operating through the TARGET Instant Payment Settlement (TIPS) infrastructure, provides pan-European real-time settlement architecture technically compatible with agent-initiated payment flows. Live bank participation in SEPA Instant has grown substantially but was not universal at the time of this analysis; the EU Instant Payments Regulation, adopted in April 2024, mandates phased universal reachability across euro-area payment service providers, with compliance deadlines extending through 2025 and 2027 for sending and receiving obligations respectively. The regulatory mandate creates a clear trajectory toward universal coverage, but the trajectory has not yet been completed. The US FedNow service, launched in 2023, provides real-time settlement capability. The participation models are structurally different: FedNow participation is voluntary, with banks choosing whether to connect, whereas the EU Instant Payments Regulation converts SEPA Instant reachability from an opt-in service into a mandatory obligation. The participation gap between the two systems therefore reflects a structural difference in how each jurisdiction has chosen to drive rail adoption — mandated in the EU, market-incentivised in the US — rather than simply a difference in programme maturity. ACH remains the dominant US rail for non-card transactions; its batch-processing architecture is incompatible with real-time agentic transaction flows at the latency levels modern agent architectures require.

Open banking APIs. Europe's PSD2-mandated API layer provides a standardised, regulated mechanism for third-party payment initiation that US open banking lacks. However, as the Berlin Group's NextGenPSD2 framework and the competing STET standard illustrate, European API standardisation is not fully unified — implementation variants across member states impose integration overhead on cross-border deployments. The US Consumer Financial Protection Bureau's Section 1033 rule-making on open banking data access is advancing but has not yet produced a mandatory API standard for payment initiation.

Agent identity and credential infrastructure. Neither jurisdiction has a published standard for agent identity — a credential that identifies not just the human principal but the specific agent instance, its delegated scope, and its conformity status. The absence is more consequential in Europe, where the regulatory framework otherwise requires identity verification at multiple points in the payment flow. Mao et al. [18] identify agent identity spoofing as one of the primary attack vectors in agentic commerce, and note that neither PCI-DSS 4.0 nor any current EU technical standard provides mitigation guidance specific to autonomous agents. This taxonomy, drawn from an arXiv preprint, represents the current working state of the field rather than a peer-reviewed and validated catalogue, but the structural attack-surface description it provides aligns with the regulatory gaps identified in the preceding analysis.

Security standards. The cross-layer attack surface documented in [18] — spanning prompt injection at the reasoning layer, tool-call manipulation at the integration layer, and wallet-level credential theft at the payment layer — is not addressed by any current published standard in either jurisdiction. ISO 27001, NIS2 technical guidelines, and PCI-DSS 4.0 provide general controls for software and payment security but do not address the specific vulnerabilities introduced by LLM-based reasoning and tool-call execution. The EU's ENISA has issued guidance on AI security generally, but not on agentic payment systems specifically.

Market Adoption Maturity

The published evidence base for production agentic commerce deployments is asymmetric. Bharadwaj and Tu [17] report on an Adobe production deployment of agentic observability infrastructure that achieved a ninety-percent reduction in mean-time-to-insight for e-commerce alert triage — a result that quantifies the operational value of agent-assisted operations monitoring, though the deployment describes alert triage rather than autonomous transaction initiation. No equivalent European production deployment report is present in the corpus. This asymmetry does not establish that European deployments do not exist; it establishes that if they do, they have not been documented in the published research literature at comparable specificity.

The digital transformation literature [1, 4] provides indirect evidence of adoption readiness: European enterprises, particularly in Northern and Western Europe, score highly on digital transformation maturity indices, and the open banking infrastructure provides technical prerequisites that US enterprises must construct bilaterally. However, maturity on enabling infrastructure does not directly translate to agentic commerce deployment, particularly given the regulatory constraints identified above.

Consumer willingness to delegate purchasing authority to autonomous agents remains empirically unconfirmed at the jurisdictional comparison level. Wang and Benbasat [11] document the distinction between competence-based and integrity-based trust in recommendation agents; Belanche et al. [9] find service robot acceptance varies by prior automation experience; Puntoni et al. [7] identify conditions for consumer AI acceptance broadly — but none of these studies directly measure consumer willingness to grant standing purchasing delegation across price categories in a US vs. EU comparison. This measurement gap is the single largest empirical deficit in the current evidence base.

The gaps identified in the results section are not uniformly attributable to regulatory inertia or technical immaturity. Several have distinct causal mechanisms, and distinguishing those mechanisms matters for assessing what interventions are likely to close them.

Mechanism 1: Deliberate Policy Choice — The SCA Design Decision

The PSD2 SCA requirement was a deliberate regulatory choice to anchor payment authentication to a natural person. It was not an oversight; it was a fraud-reduction mechanism designed in response to card-not-present fraud rates that regulators and banks found unacceptable. The consequence for agentic commerce is not an accident of poor legislative drafting but the direct result of a policy preference that prioritises consumer authentication integrity over transaction automation convenience. This means that relaxing SCA for autonomous agents is not a technical fix but a policy decision that requires EBA to make an explicit trade-off between agent-enabled efficiency and the fraud exposure that per-transaction human authentication was designed to prevent.

The US market arrived at a different trade-off through a different process. PCI-DSS and card network fraud liability rules allocate fraud losses across acquirers, issuers, and merchants through a structure that encourages fraud investment without mandating specific authentication methods at the transaction level. The result is a more permissive environment for credential delegation — one that private actors have exploited to build stored-credential and account-updater infrastructure that is more agent-compatible than the EU's mandated SCA framework. The trade-off is not that the US has solved the fraud problem; it is that the US has distributed the fraud cost differently, and that distribution is compatible with agent delegation in a way the EU's distribution is not.

Mechanism 2: Path Dependency — API Standardisation and Its Consequences

The EU's investment in PSD2-mandated open banking APIs reflects a path taken in 2015 that prioritised regulatory intervention over market-led standardisation. That path produced measurable infrastructure — standardised APIs connecting banks and TPPs across the EU — but it also locked the API design to the human-authentication assumption baked into PSD2. Retrofitting the API standard to accommodate autonomous agents requires either an amendment to the SCA regulatory technical standards (an EBA process) or the creation of a new API standard layer sitting above PSD2's TPP framework — both of which involve regulatory coordination timelines that market-led US approaches can outrun.

The US market's bilateral API arrangements are technically less standardised but regulatorily more plastic. A US bank and a platform provider can negotiate a standing-delegation API arrangement contractually, without waiting for a regulatory technical standard to be amended. This plasticity is not cost-free — it produces fragmentation across the US banking ecosystem — but it permits agentic commerce deployments to proceed while regulatory frameworks catch up. Liebowitz and Margolis's [6] analysis of network externalities is instructive here: the theoretical fragility of network lock-in does not prevent its practical persistence, because switching costs accumulate before the superior alternative achieves comparable adoption.

Mechanism 3: Regulatory Overlap — The PSD2/GDPR/NIS2 Stack

The EU's three-framework compliance stack imposes a distinctive form of overhead on agentic commerce that has no direct US analogue. PSD2 governs payment initiation and authentication. GDPR governs the personal data that an agent necessarily processes when evaluating purchase options — price history, preference data, browsing behaviour. NIS2 governs the security of the information systems through which the agent operates. Each framework was designed independently and contains provisions that interact in non-obvious ways at the agent-architecture level.

GDPR Article 22 prohibits decisions based solely on automated processing that produce legal or similarly significant effects on a data subject, unless specific conditions are met. The purchase of a good or service using a consumer's funds is plausibly a significant financial effect. If Article 22 applies to agent-initiated transactions, it imposes a human-review requirement that defeats the autonomy premise. The correct interpretation of Article 22 in the agentic commerce context has not been authoritatively resolved by the European Data Protection Board or any national supervisory authority. Enterprises deploying agentic commerce in Europe therefore face interpretive risk on top of compliance overhead.

NIS2's incident-reporting obligations apply to operators of essential and important entities across a wide range of sectors. A major enterprise whose procurement operations are substantially agentic would likely fall within scope. The requirement to report significant incidents within twenty-four hours of detection imposes observability infrastructure requirements on agent deployments that the general enterprise IT posture may not satisfy. Bharadwaj and Tu [17] demonstrate that agentic observability infrastructure can achieve material reductions in alert triage time, but their deployment describes a single US enterprise; equivalent European deployments face the additional layer of regulatory reporting obligations attached to the observability data they generate.

Mechanism 4: The Value-Alignment Governance Gap

Holgado-Sánchez et al. [19] present inverse reinforcement learning as a mechanism for inferring and aligning agent value systems from observed behaviour, providing a technical pathway toward ensuring that deployed agents act within principal-defined parameters. The mechanism is promising but unproven at the transaction volumes and parameter complexity that consumer-facing agentic commerce requires; the work is an arXiv preprint, and the production-scale validation that would confirm the approach's robustness under adversarial conditions has not yet been published. The governance gap this creates — the absence of a certification procedure that verifies that a deployed agent will remain within its delegated scope under adversarial conditions — is shared by both jurisdictions, but its regulatory implications differ.

The EU AI Act's conformity-assessment procedures for high-risk AI systems require pre-deployment testing and documentation of system behaviour within defined parameters. This is, in principle, the correct framework for certifying that an agentic commerce system will not exceed its delegated scope. In practice, the conformity-assessment procedures were designed for AI systems with more deterministic behaviour profiles than LLM-based agents, whose outputs are stochastic and context-sensitive. The gap between the conformity-assessment design and the actual behaviour profile of LLM agents means that certification under the EU AI Act may be technically achievable — by constraining the agent's action space sufficiently — but may produce certified systems that are insufficiently capable to justify deployment. The US, without an equivalent certification requirement, faces no analogous constraint but also provides no equivalent assurance to consumers or counterparties.

Systemic Implications

The combined effect of these mechanisms is a deployment asymmetry that favours US-domiciled platforms in the near term, with structural consequences that extend beyond the first-mover advantage. Network externalities in payment platforms are potent in practice even when theoretically fragile [6]. An agentic commerce platform that accumulates sufficient transaction volume — merchant integrations, consumer preference data, negotiation histories — becomes difficult to displace even when a technically superior or more compliant alternative emerges.

The historical precedent that illuminates this dynamic is not EMV chip technology — which was developed by Europay, Mastercard, and Visa and achieved broad deployment in Europe years before US card networks completed their liability-shift-driven migration — but rather the pattern of PCI-DSS adoption, in which a US-industry-led private security standard achieved global de-facto authority before any statutory equivalent was produced, because it accumulated network adherence during the period when no regulatory alternative existed. The structural difference between that precedent and the current agentic commerce situation is that the EU AI Act and the NIS2 framework do provide statutory bases for a public regulatory standard; the question is whether those bases are exercised before US-led private standards establish the same network-adherence dynamic.

The security implications of premature US-led lock-in are not trivial. Mao et al. [18] document a cross-layer attack surface in LLM-based agentic commerce that existing standards frameworks do not address. A US-domiciled platform that achieves network-effect lock-in under a private contractual security framework carries that framework's unresolved vulnerabilities into the global transaction volume it processes. The absence of a public regulatory standard covering agent identity, prompt-injection mitigation, and tool-call scope enforcement means that the platform's security posture is self-certified — a condition that the payment industry's experience with self-assessed PCI-DSS compliance has demonstrated produces variable outcomes.

Three trajectories are available from the current position: regulatory convergence through transatlantic coordination, structured coexistence in which each jurisdiction develops its own compliant deployment ecosystem, and continued divergence in which US-domiciled platforms achieve network-effect lock-in before European regulatory clarity arrives.

The convergence pathway requires a specific set of institutional actions. The EBA and ENISA must jointly produce a technical standard that resolves the three-framework compliance stack — assigning GDPR Article 22 interpretation, SCA delegation scope, and NIS2 incident-reporting obligations to a single coherent agent-identity and payment-delegation specification. That standard must then be referenced by the EU AI Act's conformity-assessment guidelines for AI systems in payment contexts, so that a single pre-deployment certification procedure satisfies the AI Act, PSD2, and GDPR requirements simultaneously. On the US side, convergence requires either the CFPB's Section 1033 open banking rule-making to include agent-delegation API specifications, or the card networks and major banks to produce an industry standard sufficiently aligned with the European specification to permit mutual recognition. The Federal Reserve's FedNow infrastructure and the CFPB's open banking work provide the institutional levers; neither has yet been applied to the agentic commerce context.

The coexistence pathway is more likely in the medium term. Each jurisdiction's regulatory architecture already has the structural components required to support agentic commerce, but they require internal reconciliation rather than cross-border harmonisation. Europe's PSD2 delegated-consent scaffolding, properly extended to cover standing agent delegation tokens with defined scope parameters — specifying the agent instance, the transaction-type permissions, the monetary ceiling, and the revocation mechanism — would resolve the SCA design tension without requiring a wholesale revision of the authentication framework. The standing delegation token would function as an extended SCA event: the human performs a single strong authentication to establish the delegation, and subsequent agent-initiated transactions within the declared scope execute under that standing authentication rather than requiring per-transaction re-authentication. This architecture preserves the fraud-protection logic of SCA — the human's intent is authenticated at delegation, not circumvented — while removing the per-transaction human authentication requirement that defeats agent autonomy. The EU AI Act's conformity-assessment procedures, if the implementing guidelines specify an agent-behaviour testing protocol calibrated to stochastic LLM outputs rather than deterministic rule-based systems, would provide a certification pathway that LLM-based agents can satisfy. These are internal European regulatory adjustments; they do not require transatlantic coordination. Similarly, the US card network stored-credential framework, extended to cover variable-amount standing agent authorisations with explicit scope declaration, would provide a contractual delegation mechanism that most US agentic commerce deployments could operate within.

The continued divergence pathway is the default outcome if neither set of adjustments occurs on the timescale at which agentic commerce platforms are building transaction volume. The mechanism is not regulatory failure in any dramatic sense; it is the ordinary operation of regulatory process timelines in the presence of rapid technology deployment. EBA regulatory technical standard amendments proceed through a defined consultation and impact-assessment process before reaching implementation — a timeline measured in years rather than months, based on the observable pace of prior EBA RTS revision cycles. EU AI Act implementing guidelines are being produced on a similar timeline. US card network rule revisions move faster but are subject to litigation and merchant resistance. If US-domiciled platforms build the merchant integrations, consumer preference datasets, and agent-identity infrastructure in the gap between now and when European regulatory clarity arrives, the switching costs that later-arriving European-compliant alternatives face will be substantial — not because those alternatives are inferior, but because the network is already built.

The specific levers that determine which trajectory materialises are identifiable and distinct. On the European side: the speed at which EBA produces a unified agent-delegation technical standard defining standing-token scope and authentication architecture; the European Data Protection Board's willingness to issue a formal opinion on the application of GDPR Article 22 to agent-initiated consumer transactions, removing the interpretive risk that currently deters deployment; the aggressiveness with which European national competent authorities pursue Article 22 enforcement against live agentic commerce deployments while that opinion remains pending; and the investment decisions of major European payment service providers in building agent-compatible API infrastructure ahead of regulatory clarity. On the US side: the breadth of FedNow participation growth and the CFPB's willingness to extend Section 1033 to cover payment initiation by autonomous agents with explicit scope declaration; the pace at which the major card networks revise their stored-credential frameworks to accommodate variable-amount standing agent authorisations; and whether the Federal Trade Commission exercises its unfair or deceptive acts or practices authority to establish baseline liability standards for agent-initiated transactions before a court-developed common-law standard emerges.

This paper has established that Europe's regulatory architecture contains the structural prerequisites for regulated-scale agentic commerce — the delegated-consent model, the conformity-assessment machinery, the real-time payment rails under a mandatory-reachability regime — but that those prerequisites remain disaggregated across three frameworks that do not compose into a workable compliance pathway without deliberate coordination. The specific missing element is an instrument that translates PSD2's existing consent architecture into a standing delegation token: a standardised credential encoding agent-instance identity, delegated transaction scope, monetary parameters, and revocation conditions, authenticated once by the human principal and thereafter accepted by payment service providers as sufficient authorisation for agent-initiated transactions within its declared scope. Until that instrument is defined and standardised, the delegated-consent scaffolding that constitutes Europe's structural advantage is present in design but absent in execution.

The United States has proceeded without those prerequisites by relying on contractual flexibility and market-led security standards, which produces deployment velocity at the cost of the liability and identity scaffolding that regulated scale requires. Specifically: there is no US statutory instrument requiring payment service providers to accept or process agent-delegation tokens; there is no published standard defining what information a delegation credential must carry; there is no explicit liability allocation for disputes arising from agent-initiated transactions that exceed their intended scope; and there is no pre-deployment conformity requirement for the LLM systems that interpret delegation parameters and execute transaction decisions. These absences enable rapid deployment while leaving each of the liability, identity, and security questions to be resolved through litigation, contractual negotiation, or post-hoc industry standardisation — processes that historically produce workable outcomes on timescales measured in legislative cycles rather than product-launch cycles.

The question determining the transatlantic outcome is not which jurisdiction's regulatory design is more coherent in principle, but which one closes its specific internal gap — Europe's disaggregated three-framework compliance burden, the US's absence of explicit statutory delegation infrastructure — before the other's deployment volume generates switching costs large enough to anchor the incumbent architecture in place.

This analysis carries several constraints that affect the confidence and generalisability of its findings.

Jurisdictional coverage. The paper treats the European Union as a single regulatory unit and the United States as a federal unit, which obscures material variation within each. EU member states implement PSD2 through national transposition, and EBA regulatory technical standards are applied with varying strictness by national competent authorities. The UK's post-Brexit open banking regime — operated under the Payment Systems Regulator and the Financial Conduct Authority — is structurally relevant as a comparator but is excluded from this analysis. The paper does not address agentic commerce regulatory conditions in Asia-Pacific jurisdictions, where regulatory frameworks in Singapore, Japan, and Australia are developing along distinct trajectories.

Access to proprietary implementations. The analysis is based entirely on published research and publicly available regulatory texts. Enterprise agentic commerce deployments — whether at US retail platforms, European open banking TPPs, or enterprise procurement systems — are not publicly documented at the implementation level. The gap between what is published and what is deployed may be substantial, and this analysis can only characterise the former. The single production deployment report in the corpus [17] describes observability infrastructure rather than payment delegation, covers one US enterprise, and is an arXiv preprint that has not completed formal peer review. Any conclusion about comparative deployment maturity is therefore an inference from indirect evidence.

Temporal snapshot. The regulatory landscape for agentic commerce is actively moving. The EU AI Act's implementing guidelines for high-risk AI systems are in production; the CFPB's Section 1033 rule-making is proceeding; EBA working groups on AI in payments are active; the EU Instant Payments Regulation's phased compliance deadlines are running. This analysis reflects the state of published instruments and research as of its writing. A regulatory development — an EBA opinion on autonomous payment initiation, a card network rule revision on agent delegation — could materially alter the gap assessment within months.

Corpus asymmetry. As noted throughout the results section, the published evidence base contains no European production agentic commerce deployment data at a level of specificity comparable to [17]. This asymmetry may reflect genuine deployment scarcity in Europe, or it may reflect a publication and reporting culture that produces less publicly documented case material. The analysis cannot distinguish between these explanations and notes this as a material constraint on its conclusions regarding comparative market maturity.

Preprint reliance. Three sources — [17], [18], and [19] — are arXiv preprints and have not undergone formal peer review. Source [18] is the sole published basis for the cross-layer attack-surface taxonomy applied in the security standards analysis; its findings are treated as a current working framework rather than a validated empirical result, but the analysis would benefit from confirmation through peer-reviewed publication or independent replication.

Several specific research and policy questions follow directly from the gaps this analysis identifies.

Consumer delegation willingness across jurisdictions. The most consequential empirical gap is the absence of comparative data on consumer willingness to delegate purchasing authority to autonomous agents across matched product categories and price points in the US and EU. A controlled survey study — administering identical delegation scenarios to matched national samples — would provide the first cross-jurisdictional measurement of the behavioural premise that agentic commerce depends on. The study should test whether the competence/integrity trust distinction identified in [11] predicts delegation willingness differently in the two markets, and whether prior experience with open banking services (more common in the EU) or algorithmic commerce recommendations (more common in the US) functions as a trust precondition.

SCA exemption architecture for agent delegation. The specific regulatory mechanism by which EBA could extend or restructure SCA exemptions to cover standing agent delegation tokens — without degrading the fraud protection that per-transaction SCA provides — requires technical and legal analysis beyond the scope of this paper. This is a tractable policy design problem: the inputs are defined (the existing SCA exemption categories, the fraud rate data that EBA uses to calibrate exemption thresholds, the agent-delegation scope parameters that would need to be specified), and the output would be a concrete draft amendment to the SCA regulatory technical standards.

Cross-layer security standards for LLM-based commerce agents. Mao et al. [18] identify the attack surface; no standard addresses it. The specific gap is a published security testing protocol for LLM-based agentic commerce systems covering prompt-injection resistance, tool-call scope enforcement, and wallet-credential isolation. This is an appropriate joint workstream for ENISA and the US National Institute of Standards and Technology (NIST), building on NIST's existing AI Risk Management Framework.

Longitudinal deployment tracking. A structured registry of live agentic commerce deployments — recording jurisdiction, transaction type, delegated scope, compliance pathway, and security incident history — would provide the evidence base that comparative analysis currently lacks. This is a data infrastructure investment appropriate for a standards body or research consortium, not a single academic study.