mt logoMyToken
ETH Gas
EN

ESMA Launches First Coordinated Crypto Custody Review Under MiCA

decentralized-network main

For EU crypto custodians, the grace period is over. With the Markets in Crypto-Assets regulation now fully enforced, the European Securities and Markets Authority has shifted from rulemaking to active supervision. Its first Common Supervisory Action on crypto-asset service providers puts custody operations under direct scrutiny, according to the original report . National regulators will begin risk-based reviews that run into 2027, zeroing in on governance, key management, transaction controls, incident response, smart contract risks, and third-party dependencies.

The CSA is not a one-off check. It represents a structured, coordinated effort across all member states to test the digital operational resilience of firms holding client crypto assets. The fact that ESMA chose custody as the first target says a lot about where regulators see the greatest risk. Private key mismanagement, flawed transaction approval processes, and reliance on outsourced infrastructure have long been weak points in crypto. Now they will be measured against the same supervisory expectations that apply to traditional financial market infrastructures.

What the Review Actually Covers

Governance reviews will examine whether boards have real oversight of custody operations, not just paper policies. Key management assessments will dig into how private keys are generated, stored, rotated, and recovered—often the trickiest part of any custody setup. Transaction controls will test how firms authorize and monitor outgoing transfers to prevent internal fraud or external breaches. Incident response planning, still immature at many crypto firms, will face particular pressure. Smart contract risks are also on the list, acknowledging that custody increasingly involves programmatic controls on-chain, not just offline storage.

Third-party dependencies add another layer. Many EU custodians rely on sub-custodians, cloud providers, or specialized blockchain infrastructure firms. ESMA wants assurance that those relationships don’t create hidden concentration risks or compliance gaps. This comprehensive scope mirrors the operational resilience frameworks applied to banks and central securities depositories under DORA and other EU regulations. For crypto-native companies that grew up outside that world, the expectations will be new and, in some cases, uncomfortable.

This is happening at a time when institutional staking and custody are converging, as seen with a Nasdaq-linked firm offering staking services for Sui—part of a broader shift that puts institutional staking and custody under the same operational demands as traditional asset servicing.

MiCA’s Full Enforcement Changes the Game

MiCA was phased in over several stages, but full enforcement means ESMA now has the legal authority to run common supervisory actions just like it does for securities markets. The CSA is a tool designed to ensure that the same rulebook is applied consistently from Lisbon to Helsinki. Without it, national regulators might interpret custody requirements differently, creating regulatory arbitrage. The 2027 timeline signals that this is not a snapshot review; it will adapt as risks evolve, potentially leading to follow-up actions or binding technical standards.

While Europe’s regulators are already running coordinated inspections, the U.S. is still fighting over foundational crypto legislation. Banks are trying to kill a landmark crypto bill days before a Senate vote , leaving the American custody landscape in limbo. That contrast sharpens the message to firms operating across both jurisdictions: EU regulatory clarity is turning into concrete supervisory pressure, and the gap with the U.S. is widening.

What’s Still Unclear

ESMA has not disclosed which custodians will be examined or how sampling will work. The CSA is risk-based, so larger, systemically important custodians are likely to face deeper assessments, but smaller firms shouldn’t assume they’ll slip through. The real question is what happens after the findings. Common supervisory actions often lead to public reports that name deficiencies without identifying specific firms, but they can also trigger enforcement proceedings if serious lapses are found. For custodians that have been operating under light-touch national regimes until now, the shift could be jarring.

The cost burden is another unknown. Smaller crypto startups may struggle to meet the governance and operational requirements without significant spending. That could accelerate consolidation, pushing custody into the hands of better-capitalized players. At the same time, demand for compliant custody is growing quickly. Tokenization of real-world assets just crossed $20 billion on-chain, as detailed in the latest tokenization roundup , meaning that safe, regulated custody infrastructure is becoming an urgent need, not a future option.

For EU crypto market participants, the review is a clear benchmark. The era of informal oversight is ending. Custody resilience is no longer just a competitive differentiator—it’s a regulatory requirement with teeth.

Disclaimer: This article is copyrighted by the original author and does not represent MyToken’s views and positions. If you have any questions regarding content or copyright, please contact us.(www.mytokencap.com)contact
More exciting content is available on
X(https://x.com/MyTokencap)
or join the community to learn more:MyToken-English Telegram Group
https://t.me/mytokenGroup