As a litigation lawyer, some of the cases I handled involved phone spoofing fraud, phishing, contactless theft, and account takeovers. These cases have led me to confront a structural problem in European payments law – the rules governing liability and consumer protection were designed around a world where money sits in a commercial bank account. The Digital Euro will fundamentally disrupt that assumption, and it is that disruption that I will proceed to examine.

The Digital Euro is not merely a new payment method. It is central bank money held in digital form, a direct liability of the European Central Bank, distributed to citizens and businesses through payment service providers acting as intermediaries. The proposed Regulation on the establishment of the digital euro, published by the European Commission in June 2023, already draws the boundary that matters most for litigators: as Recital 9 makes clear, no contractual relationship is established between the digital euro user and the European Central Bank or the national central banks[1]. Payment service providers manage digital euro accounts on the users’ behalf. The consequence for litigation arises from the fact that action against the European Central Bank will not be contractual, as there is no contract to breach. Any such claim will be governed exclusively by the rules of extra-contractual responsibility.

Before examining those gaps, it is worth noting the legislative framework the Digital Euro will inherit. Article 5(3)[2] of the proposed Regulation expressly provides that digital euro payment transactions are subject to Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market (hereinafter, “PSD2”)[3] as replaced in due course by the proposed Third Payment Services Directive and by the proposed Payment Services Regulation[4]. The full liability and authentication regime currently governing payment service providers, including the rules on authentication, the obligation to refund unauthorised transactions, and the reversal of the burden of proof, will therefore apply directly to digital euro payment transactions. What the proposed Regulation does not resolve, and what I will focus on, is what happens when that framework reaches its limits, whether because the loss arises at the level of the European Central Bank itself, or because the existing exceptions in the Directive leave the user unprotected.

The first gap concerns the European Central Bank. Under Article 340(3) of the Treaty on the Functioning of the European Union (hereinafter, “the Treaty”), the European Central Bank is liable only for damage caused by its servants in the performance of their duties, in accordance with general principles common to the laws of the Member States. This provision was designed for an institution exercising monetary policy functions, not the operation of a retail payment infrastructure used by hundreds of millions of citizens. No explicit provision in the draft Regulation addresses this gap. There is, however, one operative provision that creates a measurable institutional obligation and may serve as the foundation for extra-contractual claims: Article 32(1) of the proposed Regulation, which establishes a general fraud detection and prevention mechanism applicable at the level of the Digital Euro system itself[5]. The Explanatory Memorandum confirms that the European Central Bank may operate this function directly or confer it upon providers of support services. The provision concerns third-party fraud directed against users and falls within the scope of systemic liability rather than user misconduct. If the European Central Bank fails to implement adequate fraud detection under Article 32(1), and that failure causes loss to a user, Article 340(3) of the Treaty may become the only available route to redress.

The second gap is already being litigated today. The Court of Justice of the European Union, in DenizBank AG v. Verein für Konsumenteninformation[6], held that the near-field communication (hereinafter, “NFC”) function of a payment device qualifies as a payment instrument under the PSD2, and that its contactless use for low-value transactions constitutes anonymous use. The legal consequence is that Article 63(1)(b) of the aforementioned Directive allows payment service providers to exclude by contract their liability for unauthorised transactions, where the instrument is used anonymously and the amount does not exceed 30 euros, in relation to the Digital Euro as well. Domestic courts have applied this rule in cases involving NFC payments made through digital wallets and have examined cases where banking system failures delayed transaction visibility, asking in both instances whether the payment service provider had demonstrated compliance with the authentication and deficiency-free standard that the Directive requires. The proposed Regulation envisions an offline Digital Euro that operates without real-time verification with the Eurosystem, closely analogous to NFC, in its anonymity properties. Whether (offline) digital euro transactions will be subject to the same anonymous-use exceptions, given its anonymity guarantees, or whether a different rule will apply, represents a lacuna in the current text.

The third gap concerns the allocation of the burden of proof. Article 72 of the PSD2 establishes that where a user denies having authorised a payment transaction, the burden lies with the payment service provider to demonstrate that the transaction was authenticated, correctly recorded, and unaffected by any technical deficiency. Domestic courts have confirmed, in multiple cases, that a user who promptly notifies their payment service provider of an unauthorised transaction satisfies this obligation. The Bucharest Court of Appeal, in a decision from December 2025[7], went further: it held that a bank bears a contractual obligation to implement fraud detection systems capable of identifying fraudulent payment operations, and that the failure to detect anomalous patterns, including an irregular modification of the client’s registered telephone number, forms part of the causal chain linking the bank’s conduct to the user’s loss. This reasoning maps onto the obligations that Article 32(1) of the proposed Digital Euro Regulation imposes at the European Central Bank level.

The last point I want to address refers to consumer protection in the Digital Euro framework, but I will limit my presentation to the most significant consumer-specific protection introduced by the payments legislative package. Article 59 of the proposed Payment Services Regulation creates a reimbursement right for victims of authorised push payment fraud by impersonation. A natural person, acting outside their professional interest, who is induced by a fraudster impersonating a bank is entitled to full reimbursement from their payment service provider, provided they report to the police without undue delay and notifies the provider promptly. Electronic communications service providers and online platforms may share liability for failing to remove fraudulent impersonation content that facilitated the fraud.

There is, however, one gap that no consumer legislation can reach: the security architecture of the Digital Euro itself. Privacy protections, the offline settlement mechanism, and the fraud detection function fall within the exclusive competence of the European Central Bank as issuer. If the Digital Euro’s architecture proves deficient, if offline tokens can be replicated, or if the fraud detection mechanism is inadequate, the user’s only avenue is extra-contractual liability under Article 340(3) of the Treaty. The reasoning developed by the Bucharest Court of Appeal, imposing liability on an institutional actor that failed to implement adequate fraud detection, will need to be tested against the very different constitutional framework governing the European Central Bank before it can offer the same protection to Digital Euro users.

In closing, I will point out that domestic courts jurisprudence is already developing on cases involving phishing, contactless fraud, spoofed numbers, system failures, and the limits of contractual derogation from mandatory protective rules. However, every doctrinal thread visible in the national jurisprudence will have to be resolved again, at much higher stakes, when the Digital Euro arrives.

In my opinion, three questions will dominate the first wave of Digital Euro litigation. First, will the European Central Bank’s fraud prevention obligation give rise to extra-contractual claims under Article 340(3) of the Treaty when the system fails? Second, will the anonymous-use exception currently available for near-field communication transactions extend to offline digital euro payments? Third, can the reversed burden of proof survive the tripartite structure of the Digital Euro, where the payment service provider manages but does not own the money it handles?

I hope these questions will be answered either by the final texts of the proposed legislation, or by the Court of Justice of the EU, in the exercise of its interpretative function.

---

[1] Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro, COM (2023) 369 final, 28 June 2023, Recital 9. Full text available here.
[2] COM (2023) 369 final, Article 5(3): digital euro payment transactions and the related payment services are subject to Directive (EU) 2015/2366 as replaced by the proposed Directive on payment services and electronic money services in the internal market, COM (2023) 366 final, 28 June 2023. Available here.
[3] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market. Available here.
[4] Proposed Payment Services Regulation, COM (2023) 367 final, 28 June 2023. Available here.
[5] COM(2023) 369 final, Article 32(1) and Explanatory Memorandum, section on Modalities of distribution (Articles 25 to 33): The European Central Bank should provide support for the processing of disputes, including technical and fraud disputes, related to the digital euro, at euro area level […]. The European Central Bank may decide to confer the task of developing and managing a dispute mechanism function, as well as a fraud prevention function, upon providers of support services.” See also Brussels Privacy Hub Policy Paper, December 2023. Available here.
[6] CJEU, Case C-287/19, DenizBank AG v Verein für Konsumenteninformation, 11 November 2020, ECLI:EU:C:2020:897.
[7] Bucharest Court of Appeal, Decision of December 2025, ECLI:RO:CABUC:2025:046.

---

Carol Țino, Associate PIPEREA & ASOCIAȚII

* This presentation was delivered at the debate ‘The Future of the European Currency: The Digital Euro between Strategic Autonomy and the New Standards of Financial Transparency’, held at the European Parliament in Brussels on 21 April 2026.