EU regulators tell crypto custodians: show your keys, show your work 🔑
The European Securities and Markets Authority (ESMA) launched a Common Supervisory Action (CSA) on Wednesday to examine the operational resilience of crypto-asset service providers (CASPs), placing custody services at the center of the review. The action runs through the first half of 2027 and represents one of the first major supervisory exercises under the European Union's Markets in Crypto-Assets (MiCA) framework after its transitional period ended on July 1.
National competent authorities (NCAs) across the EU will conduct the reviews on a risk-based sample of authorized CASPs. "The CSA will assess the maturity of CASPs' digital operational resilience frameworks in relation to custody activities," ESMA said, adding that examinations will cover key and storage management, governance structures, transaction controls, incident detection and response, and dependencies on external service providers. ESMA will consolidate findings into a final report for its Board of Supervisors after the exercise concludes in the second half of 2027.
Industry executives said the action marks a shift from authorization to active supervision. "The signal is quite clear: for custodians, a licence is the start line, not the finish," Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, said. "The shift I expect is from asserting security to evidencing it," Dessimoz added. Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, said institutional clients are already asking more detailed questions about how custody providers segregate assets, manage access controls, respond to incidents and maintain business continuity during periods of market stress. "The signal is that regulators are looking more closely at the operational standards behind digital asset services, not just whether firms are licensed," Mettler added.
Markus Levin, co-founder of blockchain infrastructure company XYO, said obtaining MiCA authorization and demonstrating operational resilience are "two different tests," adding that CASPs able to prove robust controls before regulators complete their review could gain an advantage as institutional adoption grows. Yuriy Brisov, a lawyer at Digital & Analogue Partners, said the review sits under two EU regulatory frameworks at once: MiCA, which establishes custody obligations, and the Digital Operational Resilience Act (DORA), which sets technology risk requirements for the financial sector.
The launch follows recent enforcement steps by national regulators since the MiCA deadline, including the Belgian regulator flagging six unauthorized crypto providers, and the publication of ESMA's first MiCA register update since the transition period ended, which listed Standard Chartered among authorized entities. Last month, BitGo launched a Europe-focused crypto-as-a-service platform designed to help platforms maintain access to the market while working through MiCA-related compliance requirements.
Share Article
Quick Info
Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.
See our Terms of Service, Privacy Policy, and Editorial Policy.