CINDR.LA EXECUTION SYSTEMS
POSITIONING BRIEF · NEXI · 2026-04-29 AGENTIC COMMERCE · CONSUMER-IDENTITY LAYER
PoPEye Nexi · agentic-commerce positioning

Where does Nexi sit when agentic commerce ships through the rails it already operates?

Across 2025 and into early 2026, four payment-and-commerce protocols shipped — Mastercard Agent Pay, Google AP2, OpenAI/Stripe ACP, Visa Trusted Agent Protocol — and the open agent-identity protocol underneath them, KYA-OS (formerly MCP-I, donated to DIF), graduated to a stewarded standard. Nexi sits in front of all of them as a payment processor whose merchant base meets agentic commerce demand before most banks do. The question is what Nexi ships when the first regulated forcing function lands. That forcing function is CCD2 — application date 20 November 2026 — and what it demands at the moment of consent is the one layer the four protocols and KYA-OS deliberately do not ship. PoPEye — the Point-Of-Purchase Evidence-Yielding Engine — is the answer for that piece. Anchored to Namirial as qualified trust-service provider; native to the Italian regulated identity stack (SPID, CIE) Nexi customers already integrate against; designed and operated by CINDR.LA with IDCanopy's bureau + identity moat underneath. Nexi brings the merchant channel. CINDR.LA / IDCanopy build and operate the regulated evidence layer.

CCD2 is the first deadline. PoPEye is the product that answers it. KYARA is the receipt authority it grows into. KYA-OS is the protocol layer that keeps it interoperable.

CCD2 Enforcement — T-minus
20 November 2026
Days
Hours
Min
Sec
Italian transposition is in drafting through Q2–Q3 2026; the directive applies on 20 November regardless. Banca d'Italia gains supervisory powers tuned for CCD2.
01 · The Shock

What CCD2 breaks for every online BNPL merchant

EU Directive 2023/2225 — Article 18 mandates a fresh, verified, per-transaction creditworthiness check. Behavioural scoring is out.
€191B → €293B
EU BNPL GMV 2025 → 2030
The entire BNPL volume in Europe has to satisfy CCD2 per transaction. No carve-out. No grace period for "large online suppliers" — that phrase was written around mid-market PSP merchant bases.
0
Integrated products on market
White space confirmed. Signicat sells identity+credit bundles direct to banks. Algoan sells open-banking affordability. Nobody combines consent + bureau + wallet + MCP — and nobody sells through PSPs.
6–12 mo
First-mover window
KYARA/agentic-commerce stack became real Q1 2026 (KYA-OS to DIF, Google AP2, Mastercard Agent Pay). One Sumsub or Trulioo PM decision collapses the window. Nexi's position as the regulated-receipt-layer-aware acquirer is the differentiation that closes the window.
02 · The White Space

Four capabilities — nobody has them together.

Click each to see why it matters. All four together = our wedge.

The only differentiated position in the market.

Individually, each of these is available. Bundled into one flow, delivered via a PSP channel with wallet-ready consent + MCP exposure — nobody has this today. It's the full compliance stack plus the agentic future in one product.

Wallet-resident consent + SECCI disclosure EUDI wallet delivers the standardised disclosure + captures specific, informed consent with an auditable receipt.
Multi-bureau fresh credit orchestration CreditSafe + Schufa + Experian + CRIF — one call, per-country routing, data-freshness enforced for CCD2 Article 18.
KYA-OS-compatible agentic checkout · KYARA receipts Consumer AI agents and merchant systems plug in via KYA-OS. KYARA-compliant receipts issued at the moment of consent — out of the box.
Acquirer-resold channel Nexi passes PoPEye through to its merchant base — Italian, DACH, Nordic, Iberian. Signicat sells direct to credit providers; they cannot reach this channel.
US all four Wallet consent Bureau orch. KYA · MCP PSP channel
02b · The regulation, in depth

What Article 18 actually requires — and why the consent receipt is the only clean way to prove it.

For compliance officers, product leads, and anyone who signs the procurement ticket. Stop on any heading for depth; skip to §02c for the merchant-shape breakdown.
Why CCD2 exists, and what changed from CCD1

Directive (EU) 2023/2225 was adopted 18 October 2023, entered into force 19 November 2023. Application is 20 November 2026 (Art. 48). On that date Directive 2008/48/EC (CCD1) is repealed and the new regime is directly enforceable in national courts.

CCD1 carved out short-term, low-value, fee-free credit (CCD1 Art. 2(2)(f)) — the exact shape BNPL took. CCD2 closes the carve-out. Operative scope changes beyond the §02b summary: the lower-threshold carve-out is cumulative (below €200 is in scope unless also non-deferred, interest-free, and fee-free — a test almost no BNPL product passes); the "large online supplier" exemption (Art. 2(2)(h)) is materially narrowed (most merchants who relied on the CCD1 version no longer qualify); leasing with purchase option or acquisition obligation is in (Art. 2(2)(d)); P2P and crowdfunded consumer credit — not in CCD1 at all — are captured.

Article 18 — creditworthiness, in detail

Article 18 is the centre of gravity. Three rules compound:

  1. Assessment is mandatory before every agreement, and before any material change. Not per consumer — per transaction. A repeat BNPL customer buying their second €400 basket that month needs a fresh assessment against that new obligation. The last one does not carry over.
  2. It must rest on relevant, sufficient, proportionate information about the consumer's income, expenses, and financial circumstances — verified where necessary through independently verifiable documentation (Art. 18(1)–(2)). "Where necessary" is the proportionality hinge: a documented judgement the creditor has to defend, not a free hand.
  3. Behavioural and inferred data cannot be the principal basis. Device signals, checkout behaviour, merchant-risk models, and social-graph proxies can inform a decision; they cannot carry it. The underlying evidence must be actual financial data. Germany's transposition is explicit on this and additionally prohibits social-media data in creditworthiness.

Three consequences flow from the text. A negative assessment means no credit — Art. 18(6) is a prohibition on granting credit the consumer cannot plausibly repay, with creditor liability attached ("we charged a higher APR instead" is not a defence). Automated decisions carry a human-review right layered on top of GDPR Art. 22 and the CJEU Schufa ruling (C-634/21, December 2023) — consumers must be told the decision logic and can demand human intervention. And proportionality cuts both ways: shallow checks are defensible at the shallow end and indefensible at the deeper end, with the burden of explaining why a given depth was adequate on the creditor.

Product implication: Article 18 does not specify a rail. It specifies an outcome. A documented policy mapping product, ticket, duration, and risk signal to required evidence depth is the defensible form — and the artifact a class-action plaintiff will demand in disclosure.

Consent — narrower than GDPR, specifically

Creditworthiness consent under CCD2 is tighter than the GDPR baseline on four points (Art. 18, read with Arts. 10–12 and the Schufa ruling):

  • Specificity. Consent must reference the specific assessment for the specific credit agreement. "I authorise credit checks" is not enough.
  • Freely given, unbundled. Consent to creditworthiness cannot be tied to consent to marketing, profiling, or any unrelated processing. The bundled-consent pattern common in BNPL checkout UX is non-compliant as of 20 November 2026.
  • Fresh consent per fresh check. Re-assessment on material change requires new consent. A one-time consent does not authorise indefinite bureau or AIS pulls.
  • Data minimisation and right to information. The consumer must be told which data was accessed, from which source, and what decision resulted. Only data proportionate to the assessment may be collected.

The artifact that proves compliance is the consent receipt: a signed, timestamped record binding specific consumer, specific creditor, specific transaction, evidence sources, and decision. CCD2 does not mandate a receipt format. It mandates an outcome that a receipt is the only clean way to deliver.

Withdrawal, modification, and re-assessment (Arts. 26–30)

The 14-day consumer withdrawal right carries over from CCD1. Two CCD2 additions matter for merchants: material modification triggers a new SECCI, new consent, and — where it materially changes the consumer's financial obligation — a new creditworthiness assessment (top-ups, limit increases, and restructurings are procedurally new agreements, not amendments); and forbearance is not optional — before enforcement, the creditor must offer reasonable forbearance measures.

Enforcement — where the commercial exposure actually lives

CCD2 requires "effective, proportionate, and dissuasive" penalties (Art. 44). National legislatures set the specific amounts. What ships uniformly across the EU:

  • Contract voiding and claw-back. Consumers can void non-compliant agreements and recover interest, fees, and default charges. This is the line-item exposure on a BNPL book — not the supervisory fine.
  • Collective action under Directive (EU) 2020/1828. Qualified consumer associations can bring representative actions. The German Verbandsklage and the French action de groupe are the most active venues. One class action on systematic consent-bundling or shallow Art. 18 checks lands at multi-million-euro scale and becomes a precedent across the merchant's book.
  • Private right of action. Individual consumers can claim damages for improperly assessed credit. The discovery burden — consent records, assessment logs, decision rationales on demand — is the operational part.
  • Supervisory penalties. National competent authorities (BaFin, FMA, ACPR, Banca d'Italia) gain explicit CCD2 powers; calibrations are set in national law [NEEDS SOURCE on published CCD2-specific BaFin penalty ranges — CCD1 precedent was €250k–€5M for material violations].
  • Cross-authority reporting. Regulators must flag cross-border non-compliance to peer authorities. A merchant in DE and AT cannot contain a problem to one market.
Transposition uncertainty — what it actually looks like

Germany passed transposition on 17 April 2026 (amending BGB and KWG, introducing the Sales Finance Supervision Act; Bundesrat consent expected May 2026). France transposed by Ordonnance of 3 September 2025. Austria's draft is in consultation, Q2 2026 targeted. Italy, Spain, Netherlands, Belgium have drafts in flight.

The directive text sets the floor for pan-European operations. What varies is the implementation layer — registration, supervisory templates, penalty calibrations, exact Art. 18 verification wording — landing on a rolling calendar through Q3 2026, often weeks before application. Waiting for perfect clarity is not a strategy. Directive-level obligations are stable enough to build against today; national additions layer on as configuration.

What this means for the acquiring channel

02c · Who this breaks for on 20 November 2026

CCD2 does not hit everybody the same way — four merchant shapes, four exposure profiles.

BNPL · Instalment · Leasing · Revolving — what breaks for each, and why waiting is not a strategy.

CCD2 does not hit everybody the same way. Four distinct merchant shapes sit underneath one acquiring-channel checkout, each with a different compliance surface and a different pain profile. The Orchestration Layer handles them with one platform; the commercial pitch splits by buyer. What follows is what breaks, for whom, and why waiting is not an option.

BNPL (≤3 months, ≤€3,000) — the volume track

The consumer-PM buyer. Pay-in-3, Pay-in-4, short-duration deferred payment — the product that built the €191B EU BNPL volume and is on track for €293B by 2030. The CCD1 short-term exemption that made this product lightweight is gone. Every transaction now needs a standardised SECCI before commitment (Directive (EU) 2023/2225, Arts. 10–12), a per-transaction creditworthiness assessment based on verified financial data (Art. 18), specific and unbundled consent, and a signed receipt proving all of it.

What breaks. Contract voiding and claw-back of interest, fees, and default charges on any non-compliant agreement — applied across the book, not per case. Collective actions under Directive (EU) 2020/1828 (German Verbandsklage, French action de groupe) against systematic consent-bundling or shallow Art. 18 checks. Supervisory exposure to BaFin, FMA, ACPR, Banca d'Italia. And — specific to BNPL — a liability-apportionment fight between merchant and BNPL provider that is ambiguous today and adversarial tomorrow: whichever side cannot produce an audit-trailed consent receipt carries the loss.

Why BNPL cannot wait. Volume spikes with seasonal checkout load (peaks above 1,000 TPS for tier-1 merchants). A compliance layer retrofitted mid-peak is a re-platforming project, not a patch. The 20 November 2026 date is fixed. The only question is whether the merchant enters peak with defensible infrastructure or with exposure.

Instalment credit (€1,000–€5,000, 3–24 months) — the higher-assurance track

The consumer-finance-PM buyer. Often a different internal owner at the same merchant as BNPL — different budget line, different compliance appetite, different SLA expectations. Same Orchestration Layer backend; different commercial face. The rule is load-bearing: one platform, two tracks — do not collapse into a single "consumer credit" offering.

What changes at this ticket band is the evidence floor. Bureau data alone is rarely enough to defend an Art. 18 assessment on a €3,000 24-month obligation — the directive's proportionality standard ("verified where necessary through independently verifiable documentation") pushes toward independently verifiable income and expense evidence. Policy-triggered AIS for higher-assurance flows is how that surface closes at checkout latency.

What breaks. The exposure profile shifts from volume-class (many small void-and-claw-back events) to ticket-class (fewer, larger, material voiding actions). "We used bureau data" is a weaker Art. 18 defence at €3,000 than at €150. Under Directive 2020/1828, a qualified consumer association can build a representative action on one or two systematically mis-assessed instalment products and apply the precedent across every similar agreement on the book.

Why instalment credit cannot wait. Higher-assurance evidence requires contracted AIS capacity, configured policy thresholds, and SECCI templates calibrated per national transposition — procurement-cycle decisions, not deployment tasks. Starting in Q3 2026 for 20 November 2026 is late.

Consumer leasing (purchase option / acquisition obligation only) — narrow, design-partner

The lessor buyer. CCD2 Art. 2(2)(d) is the key line: leases without acquisition obligation are out; consumer leases with a purchase option or acquisition obligation are in. Pure operational leasing is not routed through this platform unless local legal review puts it in scope.

The v1 posture is explicit and narrow: its own product mode, SECCI template, and pricing band; AIS-heavy evidence default (bureau-only not permitted at this scale under the v1 policy matrix). Available for design partners and first lessors — deliberately small to prove the product mode works before offering it broadly. Lessors have longer sales cycles and richer affordability-signal expectations than BNPL merchants; leasing carries its own commercial band because the evidence mix and unit economics differ.

What breaks. Same enforcement vectors as instalment credit, compounded by contract length — a voided lease is a multi-year revenue claw-back, not a ticket-level one. Mid-term payment changes and end-of-term purchase-option exercises each trigger the Art. 18 re-assessment rule. A lessor without re-assessment infrastructure at modification events carries cumulative exposure across the book.

Why leasing cannot wait. For design-partner lessors, scoping and evidence-calibration work starts now — leasing ships only if that validation runs parallel to the PSP PoC.

Revolving, overdraft, credit cards with deferred-payment features — flagged, v1.1+

In scope under CCD2, but a different operational shape: continuous obligation rather than per-transaction credit, with re-assessment triggered by material change across the life of the facility. Compliance logic carries over — SECCI, Art. 18, specific consent, receipt — but the surface is a portfolio-review flow, not a checkout flow. Not a v1 commitment. The envelope and receipt schema are designed to absorb revolving as a future product mode without re-architecture.

Why all four tracks read the same calendar

The 20 November 2026 date does not discriminate by product shape. What discriminates is the exposure vector each shape creates: BNPL runs out of peak-season time fastest, instalment credit carries the largest per-case class-action risk, leasing compounds exposure over years, revolving is a later problem but not a different one. One platform, priced in four bands, handling the obligations each track actually faces — that is what it takes to walk into 20 November 2026 with defensible infrastructure across a merchant's full credit offering, not a checkout patch on one product while the rest of the book is exposed.

03 · Why the acquirer funds it

The compliance demand is inside Nexi's merchant base. It is not a new market to find.

CCD2 creates a productized compliance need that merchants will bring to their acquirer. The question is who owns the answer when they ask.

CCD2 creates compliance demand inside merchant portfolios. Every BNPL and consumer-credit merchant that runs through the Nexi channel will need a productized answer by 20 November 2026. They will not build it themselves. They will ask their acquirer.

The acquirer has one structural choice: wait for third-party vendors — Signicat, Sumsub, Trulioo — to productize the layer and own the merchant relationship, or fund the regulated evidence layer now and distribute it as a proprietary product. The first path cedes the relationship. The second path creates a durable channel position.

PoPEye is distributed through existing acquirer rails and relationships. CINDR.LA does not need to find merchants. Nexi selects which segment to activate first and controls the rollout pace. The build is funded once; the distribution is Nexi's channel. For the Italian market specifically, Namirial's Agentic Trust Services infrastructure and SPID/CIE integration make PoPEye uniquely positioned — the identity trust stack Nexi merchants already use becomes the evidence foundation.

Your merchant base will need this. Fund the layer now and own the distribution position before someone else productizes it for your customers.

The evidence layer — what PoPEye orchestrates

Evidence sources
Creditworthiness data
CreditSafe · Schufa · CRIF · KSV1870 · Experian — per-country bureau routing for Article 18 fresh-check compliance. Italian market: CRIF is the primary bureau. PoPEye orchestrates; no single bureau is the moat.
AIS evidence routes
Open-banking affordability
Tink · TrueLayer · Plaid Europe — account-information service data as a supplementary affordability signal. Routed and receipted through the same PoPEye consent flow.
Identity / trust routes
Verified identity anchors
Namirial (Agentic Trust Services) · SPID · CIE · Signicat · Criipto — eIDAS-grade identity routed per regime. Italian SPID/CIE integration is native; Namirial's QTSP position provides the qualified trust anchor.
PoPEye
Orchestration + receipt layer
Regime-shaped orchestration across all evidence providers — consent capture, bureau routing, identity verification, and signed KYARA receipt in one flow. The moat is the layer, not any single source.
04 · The Consumer Flow

Five steps from cart to receipt. Click any to see what happens.

End-to-end latency target: < 3s p95. Consumer sees a SECCI panel + one consent tap. Merchant gets a signed decision. Powered by PoPEye — the Point-Of-Purchase Evidence-Yielding Engine.
1
Checkout trigger
2
SECCI disclosure
3
Consent + wallet
4
Fresh credit check
5
Decision + receipt
05 · Competitive Landscape

Who else is closest — and where they can't reach us.

Hover each card for the gap our architecture exploits.
HIGH

Signicat

Identity · Credit · Wallet
hover →
Signicat can credibly approach the identity side of this market. The open question is who productizes the regulated transaction receipt first: identity-first providers, payment acquirers, or a PoPEye / KYARA layer anchored through the right trust-service partner. Namirial's QTSP position and SPID/CIE native integration give PoPEye a structural edge in the Italian market Signicat cannot easily replicate.
MED

Algoan

Open-banking affordability
hover →
Named CCD2 page, UK expansion. No identity, no wallet, no consent-receipt, no MCP. More partner-candidate than competitor — could become a bureau-alternative in our orchestration.
MED-latent

Sumsub

KYC · KYB · KYA leadership
hover →
Already publishing KYA thought leadership. One PM decision from pairing KYA with CCD2 and they collapse the window. First-mover speed is the mitigation.
MED-latent

Trulioo

Global identity verification
hover →
Strong in identity breadth. No consent-receipt, no bureau orchestration, no PSP channel. Could acquire their way in — watch for M&A around CreditSafe-adjacent targets.
06 · Commercial Engagement Model

Three entry points. Each one builds on the last.

Structured to let Nexi validate at each tier before committing to the next. Commercial floors are set internally — no unpaid discovery, no free implementation.

Tier 1 — Paid Scoping Sprint

A time-boxed engagement to establish mutual product fit, compliance fit, and architecture readiness before committing to a full build. CINDR.LA / IDCanopy deliver a structured scoping memo and a go / no-go recommendation for Tier 2. Italian market specifics — SPID/CIE identity chain, CRIF bureau routing, Namirial QTSP anchor, Banca d'Italia supervisory expectations — are part of the assessment scope.

Partner funds: Scoping engagement at consulting-band rates
CINDR.LA / IDCanopy delivers: Product fit assessment · compliance fit assessment · architecture sketch · commercial-fit assessment
Partner receives: Scoping memo · architecture sketch · commercial-fit assessment · go / no-go for Tier 2
Out of scope: Implementation · regulator coordination · merchant integration
Decision point: Ratify Tier 2 founding-partner commitment or wind down

What this tier establishes

Market fit: CCD2 exposure across the Nexi merchant base — which segments, which product modes, which countries first (Italy first, or DACH/Nordics)
Compliance fit: Regime-by-regime obligations mapped to PoPEye capabilities, with Italian transposition specifics
Architecture fit: Integration path through Nexi rails — PSP adapter, merchant SDK, SPID/CIE/Namirial identity chain, channel rollout model
Commercial fit: Tier 2 scope, governance model, and founding-partner terms framed for decision

Tier 2 — Founding Partner Build

Nexi funds the PoPEye implementation for one product mode and one launch market. CINDR.LA / IDCanopy deliver a working PoPEye instance integrated into the Nexi channel, anchored to Namirial QTSP and native to the Italian identity stack, ready for CCD2 enforcement on 20 November 2026.

Partner funds: Founding-partner build at mid-market consulting bands
CINDR.LA / IDCanopy delivers: PoPEye implementation for one product mode (BNPL / instalment / leasing / general consumer credit) and one launch market — including consent architecture, evidence routing, receipt schema, and integration with at least one bureau / AIS / identity provider per regime
Partner receives: Working PoPEye instance · acquirer-channel integration plan · governance commitment
Out of scope: Multi-market expansion (Tier 3) · white-label rebranding (separate)
Decision point: Roll into Tier 3 distribution / OEM agreement

Founding-partner position

First-mover advantage: Nexi merchant base is the initial deployment — ahead of any competing acquirer channel in Italy or DACH
Italian stack native: SPID, CIE, and Namirial QTSP integration is built into the launch deployment — not retrofitted
Channel lock: Tier 3 OEM terms prefer founding partners — distribution rights negotiated from a position of live deployment, not speculation
Commercial discipline: Nexi provides channel access and segment selection. CINDR.LA does not identify merchants — Nexi activates the segment it already owns

Tier 3 — Distribution / OEM Agreement

White-label, co-branded, or embedded distribution through the Nexi acquirer channel. Commercial structure depends on exclusivity, markets, transaction volume, support burden, and IP arrangement. This is the durable channel position across Italy, DACH, Nordics, and Iberia.

Partner funds: Separate commercial structure — terms set at negotiation
CINDR.LA / IDCanopy delivers: White-label / co-branded / embedded PoPEye distribution through the Nexi channel · ongoing platform updates · tier-aligned support
Partner receives: Market-specific PoPEye distribution · ongoing updates · expansion path to additional markets or product modes
Out of scope: Open-market sales outside agreed segments
Decision point: Renewal / expansion to additional markets or product modes

Expansion architecture

Market expansion: Italian launch proves the model. Tier 3 renewal frames DACH/Nordics/Iberia activation at lower cost and risk
Product-mode expansion: BNPL is the CCD2 wedge. Instalment credit, leasing, and general consumer credit follow the same architecture at incrementally lower integration cost
Agentic extension: KYARA receipt layer extends naturally to agentic-commerce compliance as KYA-OS interoperability matures across the four payment protocols
Regulatory runway: PSD3/PSR, FIDA, and verticalized regulated transaction surfaces extend the same architecture beyond CCD2
07 · Path to 20 Nov 2026

Seven months — implementation complete before the deadline.

Backward-planned from the 20 November 2026 enforcement date. Tier 1 scoping sprint is the gate.
May 2026
Tier 1 · Paid Scoping Sprint
Product fit, compliance fit, architecture, and commercial-fit assessment — including Italian-market specifics (SPID/CIE/Namirial chain, CRIF bureau routing, Banca d'Italia supervisory scope). Nexi selects launch market and product mode. Scoping memo and Tier 2 go / no-go delivered.
Jun 2026
Tier 2 founding-partner engagement · Nexi selects merchant segment
If the acquirer wants a live merchant proof, the acquirer provides the merchant segment and distribution access. CINDR.LA / IDCanopy provide the regulated evidence layer, consent architecture, receipt schema, and implementation leadership. Tier 2 contract formalises the build scope.
Jul–Sep 2026
8-week build · W1-W8
Foundations → consent engine → creditworthiness (CRIF + Italian AIS routes) → receipts / KYARA receipt schema → SPID/CIE identity chain → integration → compliance hardening → UAT → production cutover.
Oct 2026
Shadow mode · legal review
Merchant traffic in shadow mode. External counsel and merchant legal team review KYARA receipts and consent flows against Italian transposition requirements. Banca d'Italia supervisory posture confirmed. Compliance sign-off before production cutover.
20 Nov 2026
CCD2 enforcement · deployment goes live
Production cutover complete. ≥1000 consent-bound transactions in first wave. Zero compliance findings from legal review. Case study ready for Tier 3 distribution rollout across Italy and DACH.
08 · The Agentic Wedge

CCD2 is the entry point. KYARA and KYA-OS are the category.

Every capability CINDR.LA ships for CCD2 — signed consent, verified identity, bureau-fresh affordability — is exactly what agentic commerce needs when machine-initiated purchases go regulated. KYARA (Know Your Agent Receipt Authority) captures compliance at the moment of consent. KYA-OS (the DIF-stewarded open agent-identity protocol, formerly MCP-I) makes it interoperable across all four payment protocols. This is how CINDR.LA owns the next decade of compliance primitives, not just the 2026 deadline.

MCP-I → KYA-OS (Mar 2026) Vouched donated MCP-Identity to DIF as KYA-OS — the open agent-identity protocol. Standards stewardship now live.
Google AP2 · Mastercard Agent Pay · Visa TAP · OpenAI/Stripe ACP All four agentic payment protocols shipped 2025–early 2026. Compliance layer is empty across all of them — KYARA via CINDR.LA fills it.
KYARA — the receipt layer PoPEye anchors PoPEye is the consumer-side primitive that turns CCD2 consent into a KYARA receipt — signed, Namirial QTSP-anchored, extensible to every machine-initiated purchase beyond BNPL.
09 · KYARA Architecture

Four questions. One receipt. Regulator-grade proof.

KYC asks one question of a human. KYARA answers four questions about the agent — and CCD2 forces a human-in-the-loop gate on top regardless. Click any card or claim to expand.
+
Q01 · Identity

Who operates this agent?

Legal entity. Registered in our operator registry. KYB-grade.

Operators pass IDCanopy KYB onboarding before issuing any agent. Operator DID + Agent Issuer Certificate minted. Registry resolution on every transaction. No registered operator → transaction rejected before SECCI renders.

+
Q02 · Provenance

What model. What build.

Reproducible. Audit-traceable. Pinned per transaction.

Agent declaration at registration captures model family, version, capabilities, hosting, key custodian. Version written into every KYA receipt. Regulator traces a disputed CCD2 transaction back to the exact agent build that initiated it.

+
Q03 · Authority

What mandate, what scope.

Verifiable Credential. Signed by consumer's wallet.

Consumer signs a mandate VC once per scope: merchant allowlist, MCC categories, per-transaction ceiling, rolling-period ceiling, allowed regimes, expiry. CCD2 forces requiresHumanConfirmation=true regardless of what the mandate says — policy engine overrides.

+
Q04 · Envelope

What is it allowed to do.

Enforced at the action point. Seven checks before any engine fires.

Signature valid · not revoked · not expired · scope match · period ceiling fresh · action assertion fresh · operator in good standing. Any fail → reject before SECCI even renders. Reason returned to merchant.

Art. 5 Pre-contractual info to consumer Art. 10 SECCI in good time before bound Art. 14 14-day withdrawal right Art. 18 Creditworthiness assessment Art. 36 Competent authority
// CCD2 KYA receipt — W3C VC, BBS+ signed { "@context": [...v2, idcanopy/kya/v1], "type": ["VerifiableCredential", "KYAReceipt"], "issuer": "did:web:idcanopy.com", "id": "urn:uuid:7c9e6679...", "credentialSubject": { "agent": { did, operator, version, tier: "L2" }, "mandate": { credentialId, consumerDid, scopeHash }, "transaction": { merchantId, amount: 489.00 EUR, regime: "ccd2_credit" }, "consent": { humanConfirmed: true, confirmedAt, secciAcknowledged: true, withdrawalRightNotified: true }, "decision": { outcome: "approved", bureauReceiptIds: [...], reasoningChainHash, article18Applied: true } }, "credentialStatus": StatusList2021, "proof": { bbs-2023, ... } }
agent.tierL2 — DID + VC delegation. Required for CCD2. Policy engine rejects L1 agents server-side.
mandate.scopeHashHash of the clause that authorised this transaction — proves which without disclosing the full mandate.
consent.humanConfirmedThe line between "agent-delegated transaction" and "specific consent by the consumer". CCD2 requires true.
consent.secciAckConsumer tapped through the SECCI render before confirming. CCD2 Article 10.
consent.withdrawalRightNotified14-day withdrawal right displayed per Article 14. Defends against consumer protection challenges.
decision.reasoningChainHashHash over full Article 18 creditworthiness reasoning. Regulator verifies without inspecting bureau data.
proof (BBS+)Selective disclosure. Regulator verifies humanConfirmed=true without seeing consumer DID. GDPR-aligned.
credentialStatusStatusList2021 entry. Revocable. Regulator can re-verify at any future date without calling us.
Conservative reading

CCD2 means the consumer, not the agent.

  • Article 5 specifies "consumer" receives the SECCI
  • Article 10's "in good time before the consumer is bound" implies human reading time
  • Recital 4 "informed decisions" reads as human cognition
  • No EU court precedent accepting agent-mediated SECCI consent
→ Agent prepares. Human confirms.
Aggressive reading

Maybe, with a power of attorney.

  • Member-state contract law generally permits representatives
  • Power of attorney can include credit decisions
  • Notarised mandate may carry weight in court
  • But untested. Ambiguity blocks enterprise procurement.
→ Legally possible. Commercially risky.
CINDR.LA v1 · our pick

Conservative. Forced human gate for ccd2_credit.

  • Removes ambiguity that blocks enterprise procurement
  • Removes the "was agent really the consumer?" attack surface
  • Forces a novel hybrid model that AP2 alone cannot enforce
  • Becomes the reason for our layer — we are what AP2 cannot be
  • When the law catches up (EBA 2027-2028) we are the reference implementation
→ Policy engine overrides any mandate with requiresHumanConfirmation=false for CCD2.
10 · Consultation Deliverables

Three outputs from this positioning engagement.

Scoped for Nexi's strategy team. Operator brings the regulated-receipt architecture and the trust-infrastructure relationships.
Deliverable 01

Agentic-commerce posture diagnostic

Mapping Nexi's current exposure to the four protocols (AP2, Agent Pay, TAP, ACP) and KYA-OS. Where Nexi sits in the landscape today — and what is missing for a regulated-receipt-layer-aware acquirer position across Italy, DACH, Nordics, and Iberia.

Deliverable 02

CCD2 gap analysis · consent-receipt layer

Structural gap at the consent-receipt-and-affordability layer for Nexi's Italian and EU merchant base. Article 18 exposure profile. SPID/CIE/Namirial chain as the structural advantage for Italian-first deployment — Banca d'Italia transposition expected Q2–Q3 2026; directive applies 20 November regardless.

Deliverable 03

PoPEye engagement model · scoped options

PoPEye as the CCD2-compliance piece Nexi distributes to its merchant base. Engagement options: white-label, OEM, or co-branded channel distribution. Operator anchors to the Namirial QTSP trust chain; Nexi brings the acquiring channel and merchant relationships.

CCD2 is the first wedge; PSD3/PSR, FIDA, and verticalized regulated transaction surfaces (insurance distribution, investment suitability) extend the same architecture.

Continuing the conversation

Where Nexi positions when agentic commerce ships through its rails — and what it ships when CCD2 lands.

CINDR.LA designs, architects, and operates the regulated trust-receipt layer above the payment protocols. For Nexi, the positioning consultation runs on three deliverables: a diagnostic of current agentic-commerce posture across the four protocols + KYA-OS; a gap analysis at the consent-receipt-and-affordability layer for CCD2 specifically; and a scoped engagement model for PoPEye as the answer to that gap — anchored to Italian-native trust infrastructure (Namirial QTSP, SPID, CIE) Nexi customers already integrate against.