The European Securities and Markets Authority has launched a common supervisory action targeting crypto-asset service providers, with a focus on digital operational resilience, signaling heightened regulatory scrutiny for custody firms operating under the Markets in Crypto-Assets Regulation framework.
What ESMA’s review of crypto custody providers is focused on
ESMA announced the common supervisory action on CASPs and digital operational resilience, coordinating national competent authorities across the European Union to examine how crypto service providers manage operational risks tied to their digital infrastructure. For related coverage, see MiCA Transition Period Nears for Europe's Crypto Firms.
The review targets firms authorized or operating under MiCA, the EU’s comprehensive crypto-asset regulatory framework. Custody providers, which hold client assets on behalf of investors, are a central focus given the systemic role they play in asset safety.
The action comes as the MiCA transitional period has formally ended. ESMA published a public statement in June 2026 confirming that transitional arrangements for crypto firms have concluded, meaning all providers must now fully comply with MiCA requirements. This supervisory action follows directly from that milestone, as ESMA had previously ordered unauthorized crypto-asset service providers to halt onboarding new EU clients.
Why the ESMA move matters for crypto firms and users
Custody is the layer where user assets are most vulnerable. A provider’s operational resilience, including its cybersecurity posture, IT governance, and incident response capabilities, directly determines whether client funds remain safe during disruptions or attacks.
For custody providers already navigating MiCA compliance, this coordinated supervisory action raises the bar further. Firms that secured authorization during the MiCA transition period now face active oversight of their operational practices, not just their licensing status.
The distinction between custodial and non-custodial services under MiCA also adds complexity. As industry analysis has highlighted, the regulatory treatment of different custody models remains a live question, and ESMA’s review could produce clarity on supervisory expectations for various custody architectures.
The action also reflects a broader enforcement posture across the EU. National regulators have already begun drawing hard lines, with Spain refusing to extend deadlines for unlicensed crypto firms, and the European Banking Authority outlining its crypto fines framework under MiCA.
What comes next after the ESMA review announcement
Custody providers should expect national regulators to request documentation on IT risk management frameworks, business continuity plans, and third-party service provider oversight as part of this coordinated action.
Firms that recently joined the MiCA register may face particular scrutiny, as ESMA evaluates whether newly authorized providers have fully implemented operational resilience standards rather than treating authorization as a checkbox exercise.
The key milestones to watch include any follow-up guidance ESMA issues on operational resilience standards specific to crypto custody, enforcement actions against firms found non-compliant, and whether the findings lead to additional MiCA technical standards or guidelines for the custody sector.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
