ESMA Flags Crypto Custody Risks Following MiCA Transition

Paxful
fiverr


ESMA, the EU’s market regulator, is starting a dedicated supervisory process aimed at how crypto custody providers manage operational risks. The move is designed to feed into the wider rollout of the EU’s Markets in Crypto-Assets (MiCA) framework, which has been entering its enforcement phase as regulators move beyond initial transition deadlines.

According to an ESMA announcement on Wednesday, the regulator is launching a Common Supervisory Action (CSA) that will specifically examine the digital operational resilience frameworks of crypto-asset service providers (CASPs), with custody services at the center of the review.

Key takeaways

  • ESMA’s Common Supervisory Action will focus on operational resilience for custody activities, including how firms manage keys and stored crypto-asset custody.
  • National competent authorities will run risk-based reviews of authorized CASPs across the EU from now through the first half of 2027.
  • Supervisors are expected to assess governance, transaction controls, incident detection and response, and reliance on external service providers.
  • ESMA plans to compile the national findings into a final report for its Board of Supervisors after the exercise ends in the second half of 2027.

Why ESMA is targeting custody resilience now

The timing matters. ESMA’s announcement comes shortly after the end of MiCA’s transition phase on July 1, which has shifted attention toward how firms will demonstrate compliance under the new EU rulebook. As regulators move from transitional arrangements to ongoing supervision, custody has become a particularly important area due to its direct role in safeguarding assets and the high operational and technological risks involved.

In its statement, ESMA said the CSA will assess the maturity of CASPs’ digital operational resilience frameworks as they relate specifically to custody activities. The regulator highlighted that reviews will include key and storage management—core components of most custody operations—along with other operational risk domains.

okex

For market participants, this type of supervisory focus can be more than a compliance formality. Custody providers often sit between trading platforms, wallets, and end-users, meaning operational failures can propagate quickly across connected services. By evaluating resilience frameworks rather than only looking at formal authorization status, ESMA is signaling that the quality of operational controls will be a central supervisory concern.

How the Common Supervisory Action will work

ESMA said the supervisory action will be implemented by national competent authorities across the EU. Rather than performing a uniform check of all relevant firms, supervisors will conduct reviews using a risk-based sample of authorized CASPs.

The exercise is scheduled to run from now until the first half of 2027. During that window, regulators will examine how companies handle custody-related operational risks in practice. ESMA indicated that the reviews are expected to cover areas including:

  • Key and storage management arrangements tied to custody operations
  • Governance structures supporting resilience and operational control
  • Transaction controls used to manage and safeguard custody processes
  • Incident detection and response capabilities
  • Dependencies on external service providers

This scope suggests a focus on both preventative controls and recovery readiness. In digital operational resilience frameworks, incident detection, escalation, and response planning are especially important because many custody threats are operational in nature—ranging from system outages and misconfigurations to disruptions affecting critical dependencies.

From national findings to an ESMA-level report

After national authorities complete their assessments, ESMA will consolidate results into a final report. The filing is intended for submission to ESMA’s Board of Supervisors after the exercise concludes in the second half of 2027.

While the CSA is being delivered through national regulators, the consolidation into an ESMA-level output matters for the industry. It helps create a more coordinated EU-wide view of whether operational resilience expectations are being met consistently across member states, and it may influence how supervisors follow up where weaknesses are identified.

Custody providers adapting to MiCA’s new phase

ESMA’s custody review also arrives as parts of the market continue to adjust to MiCA’s requirements. The source noted that some custody providers have begun supporting crypto platforms adapting to the evolving EU regulatory environment.

Earlier coverage cited in the material points to activity from BitGo: last month, the company launched a Europe-focused crypto-as-a-service platform intended to help platforms maintain access to the market while working through MiCA-related compliance requirements. While ESMA’s CSA is not framed as a response to any single firm or incident, it reflects the broader supervisory direction—ensuring that custody services meet operational resilience expectations under the MiCA framework.

For operators and users, the underlying message is straightforward: as MiCA transitions into full supervision, regulators will increasingly look at the operational substance of compliance, especially in areas that directly manage private keys, storage infrastructure, and the systems used to detect and respond to incidents.

As the CSA progresses, firms should expect follow-up scrutiny around governance, controls, and resilience testing—particularly where custody depends on external vendors or complex operational workflows. The key open question for the market is how consistently national authorities will apply the same supervisory expectations, and what themes will emerge once ESMA consolidates the findings later in 2027.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure





Source link

Blockonomics

Be the first to comment

Leave a Reply

Your email address will not be published.


*