Key Points:
• The European Securities and Markets Authority (ESMA) has launched a Common Supervisory Action (CSA) to examine the operational resilience of crypto custodians licensed under MiCA.
• The review will focus on custody controls, including private key management, transaction security, incident response and third-party service providers.
• Industry leaders say obtaining a MiCA license is only the first step, with regulators now requiring firms to demonstrate real-world operational resilience.
• The initiative also reinforces the growing interaction between MiCA and the Digital Operational Resilience Act (DORA), raising the compliance bar for crypto service providers.
EU Regulators Shift From Licensing to Supervision
The European Union is entering a new phase of cryptocurrency regulation as authorities move beyond licensing requirements and begin evaluating whether crypto firms can safely operate under real-world conditions.
The European Securities and Markets Authority (ESMA) has launched a Common Supervisory Action (CSA) focused on the operational resilience of Crypto-Asset Service Providers (CASPs), placing custodians under immediate regulatory scrutiny following the conclusion of MiCA’s transitional period.
Rather than evaluating whether firms qualify for authorization, regulators are now assessing whether licensed companies can effectively protect client assets and maintain operational stability during periods of market stress.
Custody Services Become the Primary Focus
ESMA’s review will examine a sample of MiCA-authorized custodians across the European Union, evaluating the maturity of their operational resilience frameworks.
The supervisory exercise will assess several core areas, including private key management, digital asset storage architecture, transaction verification controls, cybersecurity incident response procedures and reliance on external technology providers.
The initiative reflects regulators’ growing concern that custody infrastructure has become one of the most critical components of the digital asset ecosystem as institutional participation continues to expand.
Security Standards Move Beyond Compliance
Industry participants say the regulatory focus represents a shift from documentation toward demonstrable operational capability.
Sebastien Dessimoz, co-founder and managing partner of digital asset infrastructure provider Taurus, said the message from regulators is clear: obtaining a MiCA license is only the beginning.
According to Dessimoz, the industry is moving away from simply asserting security standards toward proving that operational controls can withstand practical threats and cyberattacks.
As digital assets become increasingly integrated into regulated financial markets, custodians are expected to meet security and governance standards comparable to those required in traditional finance.
Institutional Investors Demand Greater Transparency
Institutional clients are also raising expectations for custody providers.
Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, noted that investors are increasingly seeking detailed information regarding asset segregation, access management, cybersecurity controls, disaster recovery procedures and business continuity planning.
The heightened regulatory review aligns with growing institutional due diligence as large financial organizations continue expanding their digital asset operations.
MiCA and DORA Create Dual Compliance Challenge
The supervisory review also illustrates the growing overlap between the Markets in Crypto-Assets Regulation (MiCA) and the European Union’s Digital Operational Resilience Act (DORA).
While MiCA establishes the legal framework governing crypto custody and digital asset services, DORA introduces broader technology risk management requirements for financial institutions operating within the European Union.
Legal experts note that satisfying both frameworks simultaneously presents a significant compliance challenge, particularly for firms that rely heavily on third-party custody technology or cloud infrastructure providers.
Because multiple custodians often depend on the same technology vendors, vulnerabilities affecting one service provider could potentially impact numerous regulated firms across Europe.
Future Supervision Could Become More Centralized
The results of ESMA’s supervisory review may influence future regulatory policy beyond operational resilience.
Some legal analysts believe the findings could strengthen ongoing discussions about expanding ESMA’s supervisory authority over crypto firms rather than leaving oversight primarily with individual national regulators.
A more centralized supervisory model could create greater consistency across the European crypto market while establishing common expectations for security, governance and operational resilience.
Outlook
The launch of ESMA’s supervisory review signals that Europe’s crypto regulatory framework is entering its enforcement phase. As MiCA transitions from licensing to ongoing supervision, crypto custodians will face increasing pressure to demonstrate institutional-grade security, operational resilience and governance. Firms capable of meeting these higher standards may be better positioned to attract institutional clients as digital assets continue integrating into the broader European financial system.
Comparison, examination, and analysis between investment houses
Leave your details, and an expert from our team will get back to you as soon as possible