ESMA is scrutinizing how crypto custodians manage private keys, handle incidents, and rely on third-party technology providers.
The European Securities and Markets Authority launched a common supervisory action focused on the operational resilience of crypto-asset service providers' custody activities, according to a July 8 announcement.
"The CSA will assess the maturity of CASPs' digital operational resilience frameworks in relation to custody activities," ESMA said, adding that reviews will focus on key and storage management alongside other operational risks.
National competent authorities across the EU will conduct the reviews from now through the first half of 2027, examining a risk-based sample of authorized CASPs. Regulators will assess governance structures, transaction controls, incident detection and response, and dependencies on external service providers. ESMA will consolidate findings into a final report for its Board of Supervisors in the second half of 2027.
The review comes after MiCA's transition phase ended July 1, shifting attention to how EU authorities will enforce compliance with the new framework. Custody providers face potential enforcement actions if reviews uncover gaps, while compliant custodians such as BitGo — which launched a Europe-focused crypto-as-a-service platform last month — may benefit as trusted partners in the region.
What Regulators Will Examine
The scope of the CSA extends beyond basic key management. NCAs will assess whether CASPs have adequate governance frameworks for custody operations, including board-level oversight of digital asset safekeeping. Transaction monitoring controls and the ability to detect and respond to security incidents will also fall under review.
Regulators will scrutinize dependencies on third-party technology providers — a critical area given that many CASPs rely on external vendors for wallet infrastructure and custody software. ESMA said the action aims to determine the maturity of CASPs' digital operational resilience frameworks specifically in relation to custody.
Market Impact and Forward Outlook
The heightened scrutiny introduces compliance costs for CASPs operating in the EU, potentially accelerating consolidation among smaller providers that lack the resources to meet regulatory standards. Larger, well-capitalized custodians may gain market share as platforms seek compliant partners.
The review also signals that EU regulators are moving beyond rule-writing into active enforcement under MiCA. With the transition phase complete, national authorities now have the mandate to conduct on-site inspections and impose penalties for non-compliance. The final report, expected in the second half of 2027, will provide a benchmark for custody standards across the bloc.
This article is for informational purposes only and does not constitute investment advice.