ESMA launches first coordinated MiCA custody review of crypto firms' operational resilience

Fintech News

ESMA launches first coordinated MiCA custody review of crypto firms’ operational resilience #

The European Securities and Markets Authority announced on 8 July that it is initiating a Common Supervisory Action (CSA) in coordination with national competent authorities to evaluate the digital operational resilience of authorised crypto-asset service providers, with custody services as the primary focus.

The review will run from the second half of 2026 through the first half of 2027. A consolidated report of findings is scheduled for ESMA’s Board of Supervisors in the second half of 2027. National regulators will assess a risk-based sample of authorised firms rather than all licensed providers, focusing on areas where resilience gaps could prove most damaging to clients.

ESMA identified several risk areas for scrutiny, including governance arrangements, cryptographic key and storage management, transaction controls, incident detection and response capabilities, exposure to smart contract vulnerabilities, and dependencies on third-party providers such as sub-custodians, cloud services, and specialist blockchain infrastructure firms. The regulator said concentration risk from those external relationships is a particular concern.

The custody review is the first coordinated action under the MiCA framework. With the Markets in Crypto-Assets regulation fully in force and the EU’s CASP register at 280 authorised providers, up from 243 at the close of the transitional period, ESMA has moved from rulemaking into active ongoing supervision.

ESMA said the initiative reflects its supervisory risk priorities, which identify digital operational resilience and crypto-asset service providers as areas warranting heightened attention. The regulator also cited the goal of enhancing supervisory convergence across member states as the MiCA register continues to expand.

The review will apply resilience expectations aligned with those already in place for banks and securities depositories under the EU’s Digital Operational Resilience Act. Industry observers expect the findings to shape future enforcement priorities across the region.

Source: Investment Executive