MiCA Licensing Marks Start as Crypto Custodians Come Under Scrutiny

Blockonomics
fiverr


EU regulators are moving beyond the “license first” phase of crypto oversight and turning their attention to whether custodians can actually operate safely under stress. On Wednesday, the European Securities and Markets Authority (ESMA) launched a Common Supervisory Action (CSA) focused on the operational resilience of crypto asset service providers (CASPs), with custody services at the center of the review.

The initiative arrives soon after MiCA’s transitional period ended, marking one of the first large supervisory exercises under the EU’s new crypto rulebook. ESMA says it will examine a sample of MiCA-authorized CASPs and evaluate how mature their digital operational resilience frameworks are for custody-related activities.

Key takeaways

  • ESMA’s Common Supervisory Action targets operational resilience for custody services, shifting scrutiny from authorization to day-to-day risk controls.
  • The review will examine areas such as key and storage management, transaction controls, incident response, and reliance on third parties.
  • Industry executives say institutional clients are already pressing custodians for detailed evidence around segregation, access controls, and business continuity.
  • Legal experts note the assessment intersects with both MiCA custody obligations and the Digital Operational Resilience Act (DORA) technology risk framework.
  • ESMA’s findings could influence broader EU debates about how CASPs should be supervised, including potential centralization at EU level.

ESMA’s supervisory action shifts the focus to operational proof

ESMA’s CSA will apply to a selected set of authorized CASPs under MiCA. Rather than treating licensing as a compliance endpoint, ESMA’s stated goal is to assess the maturity of firms’ operational resilience frameworks specifically for custody activities.

According to ESMA, the evaluation will cover multiple risk domains: key and storage management practices, transaction control mechanisms, how firms respond to incidents, and how they manage dependencies on third-party providers. This is important because custody failures are not only a legal breach—they can quickly translate into direct operational disruption and, potentially, loss of control over customer assets.

Ledger

Speaking to Cointelegraph, Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, characterized the message as clear: “for custodians, a licence is the start line, not the finish.” He argued the move is constructive, reflecting how digital assets are integrating deeper into regulated financial infrastructure and therefore should meet the same resilience and accountability expectations as in traditional markets.

That emphasis on evidence is also resonating with institutions. Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, told Cointelegraph that institutional clients are already asking more granular questions about custody operations—particularly how segregated assets are handled, how access controls work, what happens during incidents, and whether business continuity plans remain effective when markets are under pressure.

Two operational tests: MiCA authorization and resilience under real-world conditions

For market participants, the ESMA move underscores that MiCA authorization and operational resilience are not interchangeable. Markus Levin, co-founder of blockchain infrastructure company XYO, framed it as “two different tests,” adding that custodians capable of demonstrating robust controls before ESMA completes its review could be positioned to benefit as institutional adoption grows.

That distinction matters because it changes what “good compliance” looks like in practice. Licensing under MiCA may indicate that a firm has met baseline regulatory requirements, but operational resilience assessments require ongoing demonstration: how controls function in practice, how quickly incidents are detected and addressed, and whether third-party arrangements introduce systemic weakness.

In other words, ESMA’s CSA effectively raises the bar from formal compliance to operational credibility—an approach that can also reduce informational asymmetry between regulators, clients, and custodians about how well safeguards hold up when conditions deteriorate.

MiCA meets DORA: supply-chain risk and the challenge of concentrated custody tech

Legal analysis from Digital & Analogue Partners highlights why this particular CSA may be more complex than earlier supervisory activities. Yuriy Brisov, a lawyer at the firm, said the review sits at the intersection of two EU regulatory frameworks: MiCA, which establishes obligations for custody services, and DORA, which sets technology risk requirements for financial entities.

Brisov pointed to an industry reality that could complicate supervision: custody technology is concentrated among a small number of vendors. As a result, a single weak supplier can affect multiple custodians at once, making resilience not just a firm-level property but also a supply-chain question.

In that context, Brisov argued that proving resilience across the full supply chain under both MiCA and DORA simultaneously is the “real challenge for CASPs.” The practical implication for custodians is that they may need to show more than internal policies—they may also need to demonstrate that outsourced components and vendor dependencies are managed with sufficient depth, monitoring, and contingency planning.

ESMA’s approach could also set a benchmark for future supervisory expectations. Brisov suggested the CSA’s outcomes may inform how regulators evaluate MiCA-authorized custodians and feed into broader discussions about whether crypto supervision in the EU should become more centralized.

Why this CSA could shape the next phase of EU crypto supervision

Beyond the immediate assessment of participating CASPs, the CSA is positioned within ongoing EU policy debates. Brisov said the results could influence two active areas: the ongoing review of MiCA itself, and a proposal to shift supervision of all CASPs from national regulators to ESMA.

This matters to investors and clients because supervisory consistency is often critical when risk is cross-border and operational systems rely on similar technology stacks. If the EU moves toward more centralized oversight, firms may need to align their resilience reporting and control structures to a harmonized standard—making early preparation potentially advantageous.

At the same time, uncertainty remains about how ESMA will translate CSA findings into concrete regulatory expectations. The CSA is an assessment exercise, but its conclusions could later affect supervisory intensity, remediation requirements, or how firms design controls for key management, transaction operations, and incident handling.

For now, ESMA’s message to the custody market is straightforward: MiCA authorization is not the finish line. CASPs should watch what ESMA emphasizes in its resilience findings—especially around third-party dependencies and operational processes under stress—because those themes are likely to define what “acceptable” looks like in the next round of EU crypto supervision.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure





Source link

Bitbuy

Be the first to comment

Leave a Reply

Your email address will not be published.


*