Business

EU Securities Regulator ESMA Launches Crypto Custody Review…

The European Securities and Markets Authority (ESMA) has opened a coordinated review of how crypto-asset service providers (CASP) safeguard client holdings, placing custody operations under direct scrutiny as the EU’s Markets in Crypto-Assets (MiCA) regulation shifts from transition into active supervision.

ESMA announced on 8 July that it is launching a Common Supervisory Action with national regulators to test the digital operational resilience of authorised crypto-asset service providers, with custody services as the specific focus. The exercise measures how mature firms’ resilience frameworks are across the technical and governance layers that keep client assets secure, and it runs from the second half of 2026 through the first half of 2027 before a consolidated report reaches ESMA’s Board of Supervisors in the second half of 2027.

What ESMA’s Custody Review Targets

The Common Supervisory Action zeroes in on risks inherent to distributed ledger technology, covering governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and dependencies on third-party providers. Each sits at the core of how a custodian holds and moves crypto assets on behalf of clients, and ESMA wants a read on whether firms newly inside the regulated perimeter have built controls that match the risk.

ESMA framed the initiative as a response to its risk-based supervisory priorities, which identify both digital operational resilience and crypto-asset service providers as key areas of risk. The regulator said it developed the action to enhance supervisory convergence in a fast-evolving market, a concern that has sharpened as the MiCA register expanded to 280 authorised providers and pulled a widening set of custodians, exchanges, and token issuers under a single oversight structure.

How National Regulators Run the Exercise

National competent authorities will carry out the review on a risk-based sample of authorised providers rather than the full population, concentrating supervisory attention where the resilience gap could prove most damaging. That design keeps enforcement in the hands of member-state supervisors while feeding a common set of findings back to the EU level, mirroring the split-responsibility model that has defined MiCA’s enforcement rollout across the bloc.

The action lands amid accelerating MiCA enforcement. Ripple secured full CASP authorisation from Luxembourg’s CSSFon 6 July, clearing it to serve the 30-country European Economic Area, while ESMA’s interim register climbed to 280 providers after the transitional period ended, up from 243, with Standard Chartered, FalconX, and Sygnum Europe among the newly listed firms and Cyprus leading the latest wave at six approvals. Spain’s CNMV ruled out extensions for unlicensed platforms, with chair Carlos San Basilio stating there would be no exceptions to the deadline. The custody review gives ESMA its first structured read on resilience controls since firms began moving off national registrations onto the shared EU register.