"The European Banking Authority (EBA) has issued a new Opinion that provides the European payments industry with an EU-wide additional 15 months to comply with strong customer authentication (SCA) requirements for online ecommerce transactions."
Since there are banks that are already in compliance, the solution for consumers is to do business only with those banks.
While there is no international law on this, there is good banking practice that is universal. All banks have an obligation to "know their customers," and to ensure that "transactions are properly authorized." Passwords that are vulnerable to fraudulent reuse do not meet these standards of good practice.
In an era when most customers have e-mail, mobile computers, or both, strong authentication is not sufficiently difficult to implement to justify an extension. This is an example of "regulatory capture." The authority is derelict. It is serving banks rather than customers. Shame.