Provisional text

1 August 2025 (*)

( Reference for a preliminary ruling – Payment services in the internal market – Directive 2007/64/EC – Article 56(1)(b) – Obligation for the payment service user to notify the payment service provider ‘without undue delay’ of the loss, theft, misappropriation or unauthorised use of his or her payment instrument – Article 58 – Notification of unauthorised payment transactions – Rectification of such a transaction by the payment service provider subject to the obligation for the user of those services to notify that transaction ‘without undue delay … and no later than 13 months after the debit date’ – Articles 60 and 61 – Respective liabilities of the payment service provider and of the payer for unauthorised payment transactions – Successive unauthorised payment transactions resulting from the loss, theft, misappropriation or unauthorised use of a payment instrument – Delayed notification without intent or gross negligence – Scope of the right to a refund )

In Case C‑665/23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Cour de cassation (Court of Cassation, France), made by decision of 8 November 2023, received at the Court on 9 November 2023, in the proceedings

Veracash SAS,

THE COURT (Fourth Chamber),

composed of I. Jarukaitis (Rapporteur), President of the Chamber, N. Jääskinen, A. Arabadjiev, M. Condinanzi and R. Frendo, Judges,

Advocate General: L. Medina,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–Veracash SAS, by R. Froger, lawyer,

–the French Government, by R. Bénard and T. Lechevallier, acting as Agents,

–the Czech Government, by J. Očková, M. Smolek and J. Vláčil, acting as Agents,

–the European Commission, by C. Auvret and G. Goddin, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 9 January 2025,

gives the following

1This request for a preliminary ruling concerns the interpretation of Articles 56, 58, 60 and 61 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market, amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1, and corrigendum OJ 2009 L 187, p. 5).

2The request has been made in proceedings between IL, a natural person, and Veracash SAS concerning a refusal to refund withdrawals of money allegedly made without IL’s authorisation, on account of their allegedly delayed notification.

Legal context

European Union law

3Recitals 31 to 35 of Directive 2007/64 read as follows:

‘(31) In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions provided that the payment service provider has fulfilled his information obligations under this Directive. If the notification deadline is met by the payment service user, he should be able to pursue those claims within the prescription periods pursuant to national law. This Directive should not affect other claims between payment service users and payment service providers.

(32) In order to provide an incentive for the payment service user to notify, without undue delay, his provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a limited amount, unless the payment service user has acted fraudulently or with gross negligence. Moreover, once a user has notified a payment service provider that his payment instrument may have been compromised, the user should not be required to cover any further losses stemming from unauthorised use of that instrument. …

(33) In order to assess possible negligence by the payment service user, account should be taken of all the circumstances. The evidence and degree of alleged negligence should be evaluated according to national law. Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered null and void.

(34) However, Member States should be able to establish less stringent rules than mentioned above in order to maintain existing levels of consumer protection and promote trust in the safe usage of electronic payment instruments. … Member States should be allowed to reduce or completely waive the payer’s liability except where the payer has acted fraudulently.

(35) Provisions should be made for the allocation of losses in the case of unauthorised payment transactions. Different provisions may apply to payment service users who are not consumers, since such users are normally in a better position to assess the risk of fraud and take countervailing measures.’

4Article 4 of that directive included the following definitions:

‘For the purposes of this Directive, the following definitions shall apply:

(5) “payment transaction” means an act, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee;

(7) “payer” means a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;

(10) “payment service user” means a natural or legal person making use of a payment service in the capacity of either payer or payee, or both;

(16) “payment order” means any instruction by a payer or payee to his payment service provider requesting the execution of a payment transaction;

(23) “payment instrument” means any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order;

…’

5Title IV of that directive, entitled ‘Rights and obligations in relation to the provision and use of payment services’, contained five chapters. Chapter 1 of Title IV, entitled ‘Common provisions’, contained Article 51, which set out the scope of Title IV. Paragraph 1 of Article 51 provided:

‘Where the payment service user is not a consumer, the parties may agree that … Articles 59, 61, 62, 63, 66 and 75 shall not apply, in whole or in part. The parties may also agree on a time period different from that laid down in Article 58.’

6Chapter 2 of Title IV was entitled ‘Authorisation of payment transactions’ and included Articles 54 to 63 of that directive. Article 56 of Directive 2007/64, entitled ‘Obligations of the payment service user in relation to payment instruments’, provided in paragraph 1 thereof:

‘The payment service user entitled to use a payment instrument shall have the following obligations:

(b) to notify the payment service provider, or the entity specified by the latter, without undue delay on becoming aware of loss, theft or misappropriation of the payment instrument or of its unauthorised use.’

7Under Article 57 of Directive 2007/64, entitled ‘Obligations of the payment service provider in relation to payment instruments’:

‘1. The payment service provider issuing a payment instrument shall have the following obligations:

(c) to ensure that appropriate means are available at all times to enable the payment service user to make a notification pursuant to Article 56(1)(b) …; and

(d) to prevent all use of the payment instrument once notification pursuant to Article 56(1)(b) has been made.

8According to Article 58 of that directive, entitled ‘Notification of unauthorised or incorrectly executed payment transactions’:

‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, … and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III [, relating to transparency of conditions and information requirements for payment services].’

9Article 59 of that directive, entitled ‘Evidence on authentication and execution of payment transactions’, provided:

‘1. Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.

10Article 60 of Directive 2007/64, entitled ‘Payment service provider’s liability for unauthorised payment transactions’, provided, in paragraph 1:

‘Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.’

11Article 61 of Directive 2007/64, entitled ‘Payer’s liability for unauthorised payment transactions’, was worded as follows:

‘1. By way of derogation from Article 60 the payer shall bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 150, resulting from the use of a lost or stolen payment instrument or, if the payer has failed to keep the personalised security features safe, from the misappropriation of a payment instrument.

12Article 62 of that directive contained rules relating to ‘refunds for payment transactions initiated by or through a payee’, while Article 63 thereof concerned ‘requests for refunds for [such] transactions’.

13Directive 2007/64 was repealed and replaced, with effect from 13 January 2018, by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35), in accordance with Article 114 of Directive 2015/2366.

French law

14Article L. 133-17 of the Code monétaire et financier (Monetary and Financial Code), in the version resulting from Order No 2009-866 of 15 July 2009 on the conditions governing the supply of payment services and creating payment institutions (JORF of 16 July 2009, text No 13, and corrigendum JORF of 25 July 2009, text No 18) (‘the Monetary and Financial Code’), provides:

‘I – Upon becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument or of the data associated with it, the payment service user shall, without undue delay and for the purposes of blocking the instrument, notify his or her payment service provider, or the entity specified by his or her provider.

…’

15The first paragraph of Article L. 133-18 of that code provides:

‘In the case of an unauthorised payment transaction notified by the user under the conditions prescribed in Article L. 133-24, the payment service provider shall refund to the payment service user forthwith the amount of the unauthorised payment transaction and, where applicable, shall restore the payment account that had been debited with that amount to the situation that would have existed if the unauthorised payment transaction had not taken place.’

16Article L. 133-19 of that code provides:

‘I. – In the case of an unauthorised payment transaction resulting from the loss or theft of a payment instrument, the payer shall, prior to the notification stipulated in Article L. 133-17, bear the losses associated with the use of the lost or stolen instrument subject to a ceiling of [EUR] 150.

The payer shall not be held liable, however, in the case of an unauthorised payment transaction carried out without the use of the personalised security features.

II. – The payer shall not be held liable where the unauthorised payment transaction was carried out by misappropriation, without the payer’s knowledge, of the payment instrument or of the data associated with it.

Likewise, he or she shall not incur liability in the event of misuse of the payment instrument if he or she was in physical possession of the instrument when the unauthorised payment transaction took place.

III. – Except where he or she has acted fraudulently, the payer shall not bear any financial consequences if the payment service provider does not provide appropriate means of notification so that the payment instrument may be blocked, as stipulated in Article L. 133-17.

17Under Article L. 133-24 of that code:

‘The payment service user shall notify the payment service provider without undue delay of any unauthorised or incorrectly executed payment transactions and no later than 13 months after the debit date, failing which he or she will be time barred, unless the payment service provider has failed to provide or make available the information on that payment transaction …

Except where the user is a natural person acting otherwise than for business or professional purposes, the parties may decide to derogate from this article.’

The dispute in the main proceedings and the questions referred for a preliminary ruling

18IL holds a gold deposit account with Veracash. On 24 March 2017, Veracash sent to IL’s address a new cash withdrawal and payment card. In the period between 30 March 2017 and 17 May 2017, daily withdrawals were made from that account (‘the withdrawals at issue in the main proceedings’).

19Maintaining that he had neither received that payment card nor authorised those withdrawals, IL brought an action before the Tribunal de grande instance d’Évry (Regional Court, Évry, France), which, since 1 January 2020, became the tribunal judiciaire d’Évry (Court of Évry, France), seeking an order requiring Veracash to refund the sums corresponding to those withdrawals and to pay damages.

20Since his action was dismissed in part at first instance, IL brought an appeal before the cour d’appel de Paris (Court of Appeal, Paris, France), which dismissed it by judgment of 3 January 2022. That court, like the court of first instance, held that IL could not rely on the provisions of Article L. 133-18 of the Monetary and Financial Code since he had not notified Veracash of the withdrawals at issue in the main proceedings ‘without undue delay’ and ‘immediately’, but rather on 23 May 2017, that is, almost two months after the first contested withdrawal.

21Accordingly, IL brought an appeal on a point of law before the Cour de cassation (Court of Cassation, France), which is the referring court. In support of his appeal, IL relies on two grounds of appeal, one of which, in the first part, alleges infringement of Article L. 133-24 of the Monetary and Financial Code. By means of that part, IL submits that the cour d’appel de Paris (Court of Appeal, Paris) infringed Article L. 133-24 by holding, in essence, that his notification to Veracash of the withdrawals at issue in the main proceedings was delayed since it was carried out almost two months after the first contested withdrawal, whereas, in his view, under Article L. 133-24, the user of a bank card has a time limit of 13 months after the date of the contested debit to issue such a notification.

22Veracash contends, on the other hand, that Article L. 133-24 establishes a double time limit and that the 13-month time limit is a final deadline. Moreover, the scheme of that provision requires the user, as soon as he or she becomes aware of an anomaly, to notify it immediately to his or her payment service provider.

23The referring court states that the outcome of the dispute brought before it depends on whether the payment service provider can refuse to refund the amount of an unauthorised transaction where the payer, despite having notified that transaction within 13 months after the debit date, delayed in doing so, without that delay however having been intentional or the result of gross negligence on his or her part.

24Noting that the relevant provisions of the Monetary and Financial Code must be interpreted in accordance with Directive 2007/64, applicable ratione temporis to the dispute before it, in view of the date of the facts giving rise to that dispute, the referring court is of the view that a literal reading of Article 58 of that directive, which it considers supported by recital 31 thereof, may, admittedly, lead to the conclusion that the payment service provider is entitled to refuse to refund the amount of an unauthorised payment transaction on the sole ground that the payment service user delayed in notifying it, even though the notification was made within the 13-month time limit. However, such an interpretation would appear difficult to reconcile with Article 61(2) of that directive. If, in any event, the payer’s payment service provider was not required to refund the payer the amount of an unauthorised payment transaction which the payer delayed in notifying to his or her payment service provider, it would become irrelevant whether that delay was intentional or due to gross negligence, even though that provision, read in conjunction with Article 56 of that directive, provides that that refund obligation is excluded in those circumstances alone.

25The referring court observes, moreover, that, although the Court, in the judgment of 2 September 2021, CRCAM (C‑337/20, EU:C:2021:671), interpreted Article 58 of Directive 2007/64, it did not rule on the consequences of the payer’s failure to comply with the obligation to notify his or her payment service provider without undue delay that he or she has become aware of an unauthorised payment transaction.

26In that regard, it is true that there is an interest in encouraging the payer to be diligent in notifying his or her payment service provider. However, Article 61(2) of Directive 2007/64 indicates, according to the referring court, that the EU legislature did not intend to penalise all delays, whatever the circumstances, by totally depriving the payer of the right to a refund. It therefore leans toward an interpretation of that directive as meaning that, apart from the case of fraudulent conduct on the part of the payer and of a notification after the expiry of the 13‑month time limit, the payer must be deprived of the right to a refund only in respect of losses relating to unauthorised payment transactions which it would have been possible to avoid by notifying without undue delay, provided that the delayed notification is intentional or is the result of gross negligence on his or her part.

27In those circumstances, the Cour de cassation (Court of Cassation, France) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Must Articles 56, 58, 60 and 61 of [Directive 2007/64] be interpreted as meaning that the payer is deprived of the right to reimbursement of the amount of an unauthorised transaction if he [or she] delayed in notifying his [or her] payment service provider of the unauthorised payment transaction, even though he [or she] did so within 13 months from the debit date?

(2) In the event that the answer to Question 1 is in the affirmative, is the deprivation of the payer’s right to reimbursement conditional on the fact that the lateness of the notification is intentional or the result of gross negligence on the part of the payer?

(3) In the event that the answer to Question 1 is in the affirmative, is the payer deprived of the right to reimbursement of all the unauthorised transactions or only those which could have been prevented if the notification had not been late?’

Consideration of the questions referred

Preliminary observations

28As a preliminary point, it should be noted that the withdrawals at issue in the main proceedings were made by means of a card which the applicant in the main proceedings claims he never received.

29In that context, it must be borne in mind, first, that, in accordance with the definition in Article 4(5) of Directive 2007/64, the withdrawal of funds constitutes a ‘payment transaction’ within the meaning of that provision. In addition, under Article 4(23), the concept of ‘payment instrument’ refers to any personalised device and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a ‘payment order’, the latter concept referring, according to Article 4(16), to any instruction by a payer or payee to his or her payment service provider requesting the execution of a ‘payment transaction’.

30The dispute in the main proceedings therefore concerns a series of allegedly unauthorised payment transactions resulting from the use of a payment instrument. However, in the absence of any indication in that regard in the order for reference, it is not possible to determine whether that payment instrument must be regarded as having been lost, stolen, misappropriated or used in an unauthorised manner, so that, in order to provide a useful answer to the referring court, all those possibilities will have to be considered.

31Second, Article 57(2) of Directive 2007/64 provides that the payment service provider shall bear the risk of sending a payment instrument to the payer or of sending any personalised security features of it. In the light of the facts giving rise to the main proceedings, it is therefore for the referring court to ascertain, at the outset, that no such risk was incurred by the payment service provider at issue when sending the payment instrument that was used in the withdrawals at issue in the main proceedings, the consequences of which are to be borne by that service provider.

The first question

32It is apparent from the request for a preliminary ruling that, by its first question, the referring court seeks clarification on the scope of the payment service user’s obligation to notify unauthorised payment transactions. That notification obligation is specifically laid down in Article 58 of Directive 2007/64.

33Accordingly, the referring court’s first question should be understood as asking, in essence, whether Article 58 of Directive 2007/64 must be interpreted as meaning that the payment service user is deprived of the right to obtain rectification of a transaction if he or she failed to notify his or her payment service provider without undue delay on becoming aware of any unauthorised payment transactions, even though he or she notified it to that payment service provider within 13 months after the debit date.

34According to settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part (see judgments of 17 November 1983, Merck, 292/82, EU:C:1983:335, paragraph 12, and of 6 March 2025, Cymdek, C‑20/24, EU:C:2025:139, paragraph 38).

35As regards, in the first place, the wording of the provision whose interpretation is sought, it should be recalled that Article 58 of Directive 2007/64 provides that the payment service user shall obtain rectification only if he or she notifies his or her payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transaction giving rise to a claim, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III of that directive. Title III concerns the transparency of conditions and information requirements for payment services.

36It is thus on the premiss that the payment service provider has fulfilled his or her obligations to provide information under Title III of Directive 2007/64 that it is necessary to proceed with the interpretation of Article 58 of that directive.

37In that regard, it should be noted that the wording of that provision lays down the obligation for the payment service user to notify his or her payment service provider ‘without undue delay’ on becoming aware, inter alia, of an unauthorised payment transaction, ‘and no later’ than 13 months after the debit date. Therefore, it appears that, according to that wording, the right of the payment service user to obtain rectification of an unauthorised payment transaction is subject to the prior fulfilment of a twofold temporal condition.

38Admittedly, not all the language versions of Article 58 of Directive 2007/64 use the conjunction ‘and’. However, all those language versions state that the obligation for the payment service user to notify an unauthorised payment transaction to his or her payment service provider ‘without undue delay’ is triggered when that user becomes aware of that transaction. The 13-month time limit, on the other hand, runs from the debit date. This suggests that these constitute two different temporal conditions.

39Furthermore, as the Advocate General also observed, in essence, in points 44, 47 and 48 of her Opinion, the obligation to notify ‘without undue delay’ is subjective in nature, in that it requires the payment service user to act as soon as possible, having regard to the circumstances in which he or she finds him or herself, from the moment he or she becomes aware of the unauthorised payment transaction. Thus, that obligation differs from the obligation to notify ‘no later than 13 months’, which is objective in nature, since it starts to run from the debit date of the transaction giving rise to a claim.

40The wording of Article 58 of Directive 2007/64 therefore indicates that, in principle, in order to obtain rectification of a transaction, the payment service user is required both to notify his or her payment service provider without undue delay on becoming aware of an unauthorised payment transaction and to make that notification no later than 13 months after the debit date.

41That literal interpretation is, in the second place, supported by the context in which Article 58 occurs. In that regard, first, recital 31 of Directive 2007/64 refers to the need for the payment service user to notify the payment service provider ‘as soon as possible’ of any contestations concerning allegedly unauthorised payment transactions. The reference to that obligation to notify ‘as soon as possible’, inasmuch as it differs from an obligation to notify within a fixed time limit, which, moreover, is not mentioned in the recitals of Directive 2007/64, confirms that the obligation to notify ‘without undue delay’, laid down in Article 58, is of an autonomous nature. Thus, it differs from the obligation to notify within the 13-month time limit after the debit date.

42Second, according to Article 56(1)(b) of Directive 2007/64, the payment service user entitled to use a payment instrument is under an obligation, on becoming aware of the loss, theft or misappropriation of the payment instrument or of its unauthorised use, to notify it to the payment service provider or the entity specified by that provider without undue delay.

43Admittedly, the time limit within which that notification obligation must be fulfilled differs from the obligation to notify an unauthorised payment transaction ‘without undue delay’ laid down in Article 58 of that directive. That time limit runs from the date on which the payment service user becomes aware not only of any unauthorised use of the payment instrument, but, as the case may be, of the loss, theft or misappropriation of that instrument. Awareness of those events may occur even before that instrument is used for the purposes of carrying out an unauthorised payment transaction. Moreover, those two obligations also differ in that it is possible that it is not the payment service provider, but an entity specified by that provider, which must be notified of the loss, theft, misappropriation or unauthorised use of the instrument in question.

44However, the fact remains that, as the circumstances of the case in the main proceedings illustrate, it is possible that the notification obligation laid down in Article 56(1)(b) of that directive and the notification obligation laid down in Article 58 thereof may arise simultaneously. In such circumstances, it would be inconsistent to consider that mere compliance with the time limit of 13 months after the debit date is sufficient for the payment transaction in question to be regarded as having been notified in accordance with the requirements of Article 58 of Directive 2007/64, whereas Article 56(1)(b) of that directive requires, in principle, a more expeditious notification.

45That literal interpretation is, in the third place, supported by the objectives pursued by Directive 2007/64.

46In that regard, first, according to recital 31 of that directive, which clarifies the scope of Article 58 thereof, the obligation for the payment service user to notify the payment service provider ‘as soon as possible’ of any contestations concerning allegedly unauthorised payment transactions is intended to reduce the risks and consequences of unauthorised payment transactions.

47It is thus apparent from recital 31 that the obligation to notify ‘without undue delay’ laid down in Article 58 pursues a preventive objective. If compliance with the 13-month time limit after the debit date were sufficient in any event to consider that the payment service user had fulfilled his or her obligation to notify under Article 58, that preventive purpose would be undermined.

48Second, it follows from the case-law of the Court that the 13-month time limit is a maximum time limit, at the expiry of which the payment service user no longer has the possibility of holding the payment service provider liable for the transaction concerned, even on the basis of a liability regime other than that laid down in Article 58 and Article 60(1) of Directive 2007/64. That period is thus intended to ensure legal certainty for both payment service users and providers of such services (see, to that effect, judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraphs 48 to 52).

49The fact that that objective is different from that pursued by the obligation to notify ‘without undue delay’ confirms that Article 58 of Directive 2007/64 contains two temporal conditions, which are in principle separate. Furthermore, to consider that the payment service user is entitled to obtain rectification of an unauthorised payment transaction of which he or she was aware, but which he or she delayed in notifying to his or her payment service provider, would undermine legal certainty and the balancing of the respective interests of the payment service user and his or her payment service provider envisaged by the EU legislature when it adopted Directive 2007/64.

50In accordance with Article 60(1) of that directive, Member States are to ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. If the payment service user could delay making a claim under Article 58 until 13 months after the debit date of the transaction, even though that user became aware of the transaction at issue well before then, the period of legal uncertainty would be extended without objective justification, to the detriment of the payment service provider concerned, thereby undermining that legal certainty and that balancing exercise.

51It follows from the foregoing that the notification obligation laid down in Article 58 of that directive is deemed to be satisfied only upon the fulfilment of the twofold condition, first, that the payment service user notifies his or her payment service provider without undue delay on becoming aware of an unauthorised payment transaction and, second, that that notification takes place no later than 13 months after the debit date.

52That said, it must also be borne in mind that, in the logic of the liability regime established in Chapter 2 of Title IV of Directive 2007/64, the obligation on the payment service user to notify any unauthorised transaction is the condition for that regime to be able to apply for the benefit of that user (see, to that effect, judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraphs 38 and 39).

Thus, as stated in recital 31 of that directive with reference to the notification, inter alia, of ‘allegedly’ unauthorised payment transactions, that notification obligation is a prerequisite intended to ensure that the payment service provider is informed of the fact that the payment service user has become aware of a transaction which he or she considers to be unauthorised, the actual obtaining of the requested rectification being governed by other provisions of that directive.

54In particular, the actual obtaining of that rectification is, first, subject to the condition that that lack of authorisation is established, since Article 59 of Directive 2007/64 contains, in that regard, certain details relating to proof of authentication and execution of payment transactions. Second, it is subject to the rules on the allocation of the respective liabilities of the payment service provider and the payer for unauthorised payment transactions, set out, inter alia, in Articles 60 and 61 of that directive, which are intended, as stated in recital 35 of that directive, to govern the allocation of losses in the case of unauthorised payment transactions. In that regard, it should further be noted that, as is apparent from Article 4(7) and (10) of Directive 2007/64, the concept of ‘payer’ is included in that of ‘payment service user’ and refers, inter alia, to a natural person who authorises a payment order or who gives a payment order. In addition, Articles 62 and 63 of that directive deal, respectively, with the refund of payment transactions initiated by or through the payee and with requests for such a refund.

55Furthermore, according to Article 51(1) of Directive 2007/64, where the payment service user is not a consumer, the parties may, first, decide that, inter alia, Articles 59, 61, 62 and 63 thereof do not apply, in whole or in part, and, second, agree on a time limit different from that laid down in Article 58 of that directive.

56Having regard to all the foregoing considerations, it must be held that the answer to the first question is that Article 58 of Directive 2007/64 must be interpreted as meaning that the payment service user is, in principle, deprived of the right to obtain rectification of a transaction if he or she did not notify his or her payment service provider without undue delay on becoming aware of an unauthorised payment transaction, even though he or she notified it to that payment service provider within 13 months after the debit date.

The second question

57As a preliminary point, it should be noted that, according to settled case-law, under the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the referring court with an answer which will be of use to it and enable it to determine the case before it. To that end, the Court may have to reformulate the questions referred to it. The Court has a duty to interpret all provisions of EU law which national courts require in order to decide the actions pending before them, even if those provisions are not expressly indicated in the questions referred to the Court of Justice by those courts (see judgments of 18 March 1993, Viessmann, C‑280/91, EU:C:1993:103, paragraph 17; of 28 November 2000, Roquette Frères, C‑88/99, EU:C:2000:652, paragraph 18, and of 8 May 2025, HUK-COBURG Haftpflicht-Unterstützungs-Kasse, C‑697/23, EU:C:2025:338, paragraph 22).

58In the present case, it is apparent from the request for a preliminary ruling that, by its second question, the referring court seeks to obtain clarification on possible circumstances in which it may be considered that a delay in notifying an unauthorised payment transaction is in fact such as to deprive the payer of his or her right to a refund of that transaction, where that transaction results from the loss, theft, misappropriation or unauthorised use of a payment instrument.

59Not only Article 58 of Directive 2007/64, relating in particular to the notification of unauthorised payment transactions, but also Article 60(1) and Article 61(2) of that directive, relating to the respective liabilities of the payment service provider and the payer in the event of an unauthorised payment transaction, are relevant in that regard, as well as Article 56 of that directive, to which Article 61(2) refers, and more specifically Article 56(1)(b), which refer precisely to the factual circumstances referred to at the end of the preceding paragraph of the present judgment.

60In those circumstances, and in the light of the answer to the first question, it must be understood that, by its second question, the referring court asks, in essence, whether Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof, must be interpreted as meaning that – in the event of an unauthorised payment transaction resulting from the use of a lost, stolen or misappropriated payment instrument, or from any unauthorised use of such an instrument, and where that transaction has been notified by the payer to his or her payment service provider within 13 months after the debit date – the payer is not to be deprived of his or her right to obtain actual rectification of that transaction unless he or she delayed in notifying it to his or her payment service provider with intent or gross negligence.

61In that respect, as regards, in the first place, the wording of those provisions, it should be recalled that it follows from the reference in Article 60(1) of Directive 2007/64 to Article 58 thereof, and from recital 31 of that directive, that the application of the liability regime in the case of unauthorised payment transactions set out in Chapter 2 of Title IV of that directive is subject to the notification, by the payment service user, of any unauthorised transactions to the payment service provider in compliance with Article 58 of that directive (see, to that effect, judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraphs 34, 35, 38 and 39) which, as is apparent from the answer to the first question, contains a twofold temporal condition.

62In the context of that liability regime for unauthorised payment transactions, Article 59 of Directive 2007/64 establishes a mechanism for the burden of proof which is favourable to the payment service user. In essence, the burden of proof lies with the payment service provider, who must prove that the transaction has been authenticated, accurately recorded and entered in the accounts. In practice, the system of proof set by that Article 59 results, once the notification laid down in Article 58 of that directive has been carried out within the period prescribed therein, in an immediate repayment obligation on the part of the payment service provider, in accordance with Article 60(1) of that directive (judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraph 40).

63That obligation to refund immediately the amount of the transaction concerned is, however, subject to certain qualifications, set out in Article 61 of Directive 2007/64. In particular, Article 61(2) of that directive provides, in its first sentence, that the payer is to bear all the losses relating to any unauthorised payment transactions if he or she incurred them by acting fraudulently or by failing to fulfil one or more of his or her obligations under Article 56 with intent or gross negligence.

64As has already been noted in paragraph 42 above, the payer’s obligations under Article 56 include, in paragraph 1(b) of that article, the obligation, for that payer, to notify without undue delay his or her payment service provider or the entity specified by that provider when he or she becomes aware of the loss, theft, misappropriation or unauthorised use of his or her payment instrument.

65Therefore, it follows from the wording of the first sentence of Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) and Article 60(1) of that directive, that the payer is required to bear the losses relating to unauthorised payment transactions resulting from the use of his payment instrument only where he or she has acted fraudulently or where the payer has, with intent or gross negligence, delayed in notifying his or her payment service provider or the entity specified by that provider of the loss, theft, misappropriation or unauthorised use of that instrument. Consequently, it is only in such cases that the payment service provider is relieved of its obligation to refund to the payer the amount of unauthorised payment transactions.

66That interpretation is, in the second place, supported by the context in which Article 56(1)(b), Article 58, Article 60(1) and Article 61(2) of Directive 2007/64 occur.

67First, as has already been stated in paragraph 44 above, it may happen that the notification obligation laid down in Article 56(1)(b) of Directive 2007/64 and the notification obligation laid down in Article 58 thereof arise simultaneously. Therefore, as the Advocate General also observed in point 62 of her Opinion, in order to ensure a coherent interpretation of that directive, compliance with the notification obligation laid down in Article 58 must, in the circumstances referred to in Article 56(1)(b) of that directive, and unless the payer acts fraudulently, be assessed on the basis of the criteria set out in Article 61(2) of that directive.

68Second, in accordance with Article 57(1)(d) of Directive 2007/64, the payment service provider issuing a payment instrument is required to prevent any use of that instrument following a notification made pursuant to Article 56(1)(b) of that directive. In addition, Article 61(4) of that directive provides that, except where the payer has acted fraudulently, the payer is not to bear any financial consequences resulting from the use of a lost, stolen or misappropriated payment instrument which occurred after the notification provided for in Article 56(1)(b). The payer therefore has, in any event, no interest in delaying the notification which he or she is required to make under the latter provision or, where appropriate, the notification which he or she must make under Article 58 of that directive if those two obligations arise simultaneously.

69In the third place, from a teleological perspective, it should be noted, first, that the interpretation set out in paragraph 65 above is such as to preserve the effectiveness of the first sentence of Article 61(2) of Directive 2007/64. To that end, the payment service provider should not be able to rely on a simple delay in notifying an unauthorised payment transaction against the payer in order to avoid its obligation to refund under Article 60(1) of that directive, where that transaction results from the loss, theft, misappropriation or unauthorised use of a payment instrument and the payer became aware of that loss, theft, misappropriation or unauthorised use only when he or she became aware of that transaction. If the payment service provider were able to do so, that first sentence would be rendered ineffective because the payer would be deprived of his or her right to a refund even though the losses which he or she incurred do not result from the fact that the payer failed, with intent or gross negligence, to notify his or her payment service provider or the entity specified by that provider under Article 56(1)(b) of Directive 2007/64.

70Second, that interpretation is supported by the objective pursued by Directive 2007/64, as expressed in recital 32 thereof, according to which, in order to provide an incentive for the payment service user to notify, without undue delay, his or her provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user is to be liable only for a limited amount, unless the payment service user has acted fraudulently or with gross negligence. That recital reflects the intention of the EU legislature to promote, in the event of the theft or loss of a payment instrument, greater protection for the payment service user. Thus, that interpretation does not undermine the balance between the interests of the payer and those of his or her payment service provider, as weighed up by that legislature.

71Consequently, it follows from Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, taken together and read in conjunction with Article 56(1)(b) thereof, that, in the event of an unauthorised payment transaction which, first, results from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument and, second, has been notified by the payer to his or her payment service provider within 13 months after the debit date, that payer shall, in principle and except where the payer has acted fraudulently, be deprived of his or her right to obtain a refund of that transaction only if he or she has delayed in notifying the unauthorised payment transaction to his or her payment service provider, with intent or gross negligence.

72It is for the referring court, which alone has jurisdiction to assess the facts, to determine whether that is the case for each of the withdrawals at issue in the main proceedings, since Article 58 expressly refers to the notification of individual payment transactions.

73In the latter regard, in the light of the information set out by the referring court, summarised in paragraphs 22 to 26 above, it should be added that, first, according to Article 59(2) of Directive 2007/64, where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument, as recorded by the payment service provider, is not necessarily sufficient in itself to prove that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed, with intent or gross negligence, to fulfil one or more of his or her obligations under Article 56 of that directive. Second, recital 33 of that decision states, inter alia, that, in order to assess possible negligence by the payment service user, account should be taken of all the circumstances and that the evidence and the degree of alleged negligence should be assessed in accordance with national law.

74However, the conditions set out in Article 61(2) of Directive 2007/64 include ‘gross negligence’ on the part of the payer, namely, as the Advocate General also observed in point 65 of her Opinion, a serious breach of a duty of care. Furthermore, as stated in paragraph 39 above, account must be taken of the circumstances in which the payer finds him or herself. Thus, unless the payer has acted fraudulently and subject to the possible application of Article 51(1) of Directive 2007/64, he or she cannot be criticised for not having ‘immediately’ notified his or her payment service provider on becoming aware of an unauthorised payment transaction resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument.

75Furthermore, Article 61 of Directive 2007/64 contains details as to the extent of the losses which, where appropriate, must actually be borne by the payer, in particular in the circumstances referred to in paragraph 71 above.

76In the light of all the foregoing considerations, the answer to the second question is that Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof, must be interpreted as meaning that, in the event of an unauthorised payment transaction resulting from the use of a lost, stolen or misappropriated payment instrument, or from any unauthorised use of such an instrument, and where that transaction has been notified by the payer to his or her payment service provider within 13 months after the debit date, that payer is – in principle and except where the payer has acted fraudulently – to be deprived of his or her right to obtain actual rectification of that transaction only if he or she delayed in notifying it to his or her payment service provider with intent or gross negligence consisting in a serious breach of a duty of care.

The third question

77The referring court asks its third question in the event that the answer to the first question is that the payer is deprived of the right to obtain rectification of a transaction where he or she delayed in notifying his or her payment service provider on becoming aware of an unauthorised payment transaction, even if he or she notified it within 13 months after the debit date.

78Although that first question has, in essence, been answered in the affirmative, that answer is nevertheless, as is apparent from paragraphs 52 to 55 above, subject to various conditions and, in particular, as is apparent from the analysis of the second question, the fact that, where an unauthorised payment transaction results from the loss, theft, misappropriation or unauthorised use of a payment instrument, a payer who notified his or her payment service provider of the unauthorised payment transaction within 13 months after the debit date of the unauthorised payment transaction may, unless he or she acted fraudulently, be deemed to have delayed in notifying his or her payment service provider that he or she has become aware of that transaction only if he or she delayed with intent or gross negligence.

79Furthermore, it is for the referring court to assess and classify the facts at issue before it in the light, inter alia, of the clarifications set out in paragraphs 73 and 74 above.

80It is therefore necessary to reformulate the third question in order to take account of the answer given to the first and second questions.

81Thus, it must be held that, by its third question, the referring court asks, in essence, whether Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof, must be interpreted as meaning that, in the event of successive unauthorised payment transactions, resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument, and where the payer, while observing the 13-month time limit after their debit dates, partially delayed in notifying them to his or her payment service provider with intent or gross negligence, that payer is deprived of his or her right to a refund of all losses resulting from those transactions.

82In that regard, as regards the wording of those provisions, it should be noted that, according to Article 60(1) of Directive 2007/64, liability for losses incurred as a result of unauthorised payment transactions lies, in principle, with the payment service provider. However, according to Article 61(2) of that directive, the wording of which is already set out in paragraph 63 above, the payer is to bear ‘all’ the losses relating to any unauthorised payment transaction if these losses were ‘incurred’, inter alia, by the payer’s failure to fulfil his or her obligation to notify under Article 56(1)(b) with intent or gross negligence and, in such cases, the maximum amount of EUR 150, referred to in Article 61(1), shall not apply.

83The wording of Article 61(2) therefore establishes a causal link between, first, the payer’s conduct and, second, the losses incurred in respect of which he or she cannot obtain rectification.

84In addition, it is apparent from the answer to the second question referred for a preliminary ruling that the question whether a notification made under Article 58 of Directive 2007/64 in circumstances such as those referred to in Article 61(2) of that directive, read in conjunction with Article 56(1)(b) thereof, must be regarded as actually delayed is to be assessed separately for each transaction.

85Accordingly, even in the case of unauthorised payment transactions carried out repeatedly over time, all of which result from the same loss, theft or misappropriation of the payment instrument in question, the payer may be deprived of the right to obtain rectification only in respect of transactions which he or she delayed in notifying to his or her payment service provider with intent or gross negligence.

86That literal interpretation is supported not only by the fact that Article 61(2) of Directive 2007/64 is a provision derogating from the principle laid down in Article 60(1) of that directive and that it must therefore be interpreted strictly, but also by the context in which the provisions referred to in paragraph 81 above occur.

87In addition, Article 61(4) of that directive provides that, except where the payer has acted fraudulently, the payer is not to bear any financial consequences resulting from the use of a lost, stolen or misappropriated payment instrument which occurred after the notification provided for in Article 56(1)(b) of that directive. Moreover, in accordance with Article 61(5) of Directive 2007/64, if the payment service provider does not provide appropriate means for the notification at all times of a lost, stolen or misappropriated payment instrument, as required under Article 57(1)(c) of that directive, the payer shall not be liable for the financial consequences resulting from use of that payment instrument, except where he or she has acted fraudulently. Those two provisions confirm that the payer cannot be held liable for losses which he or she could not have avoided.

88That literal interpretation is also supported by the objectives pursued by Directive 2007/64. In that regard, it should be noted that the requirement of a causal link between the payer’s conduct and the losses which he or she has incurred and for which he or she cannot obtain a refund from his or her payment service provider is consistent with the balancing of the respective interests of payment service users and payment service providers, as carried out by the EU legislature in that directive. That requirement, by making the payment service user accountable, encourages him or her, in accordance with recitals 31 and 32 of that directive, not to unduly delay notifying to his or her payment service provider unauthorised payment transactions of which he or she has become aware. Similarly, that requirement encourages the payment service provider to comply with its obligations in order for that user to be able to become aware of such transactions.

89Moreover, that requirement guarantees the effectiveness of both Article 51(1) and Article 61(3) of Directive 2007/64. First, it permits the parties, when the payment service user is not a consumer, to decide, inter alia, that Article 61 of that directive is not to apply or to agree on a time limit different from that laid down in Article 58 thereof and thus to establish a different division of liability offering, as the case may be, less protection for payment service users who are not consumers. Second, it preserves the option, which Article 61(3) of that directive offers to Member States, to choose to limit the liability of the payer referred to in Article 61(1) and (2) where the payer has neither acted fraudulently nor intentionally failed to fulfil his or her obligations under Article 56 of that directive, in particular, as stated in recital 34 thereof, in order to maintain existing levels of consumer protection and promote trust in the safe usage of electronic payment instruments.

90In the light of all the foregoing considerations, the answer to the third question is that Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof, must be interpreted as meaning that, in the event of successive unauthorised payment transactions, resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument, and where the payer, while observing the 13-month time limit after the debit dates of those transactions, partially delayed in notifying them to his or her payment service provider with intent or gross negligence, that payer is, in principle, deprived of the right to obtain a refund only of the losses resulting from the transactions which he or she delayed in notifying to his or her payment service provider with intent or gross negligence.

Costs

91Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fourth Chamber) hereby rules:

1.Article 58 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC

must be interpreted as meaning that the payment service user is, in principle, deprived of the right to obtain rectification of a transaction if he or she did not notify his or her payment service provider without undue delay on becoming aware of an unauthorised payment transaction, even though he or she notified it to that payment service provider within 13 months after the debit date.

2.Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof,

must be interpreted as meaning that, in the event of an unauthorised payment transaction resulting from the use of a lost, stolen or misappropriated payment instrument, or from any unauthorised use of such an instrument, and where that transaction has been notified by the payer to his or her payment service provider within 13 months after the debit date, that payer is – in principle and except where that payer has acted fraudulently – to be deprived of his or her right to obtain actual rectification of that transaction only if he or she delayed in notifying it to his or her payment service provider with intent or gross negligence consisting in a serious breach of a duty of care.

3.Article 58, Article 60(1) and Article 61(2) of Directive 2007/64, read in conjunction with Article 56(1)(b) thereof,

must be interpreted as meaning that, in the event of successive unauthorised payment transactions, resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument, and where the payer, while observing the 13‑month time limit after the debit dates of those transactions, partially delayed in notifying them to his or her payment service provider with intent or gross negligence, that payer is, in principle, deprived of the right to obtain a refund only of the losses resulting from the transactions which he or she delayed in notifying to his or her payment service provider with intent or gross negligence.

[Signatures]

—

Language of the case: French.