ESMA Moves Into Active Enforcement The European Securities and Markets Authority (@ESMAComms) is launching a Common Supervisory Action (CSA) targeting the digital operational resilience of au
ESMA Moves Into Active Enforcement
The European Securities and Markets Authority (@ESMAComms) is launching a Common Supervisory Action (CSA) targeting the digital operational resilience of authorized Crypto-Asset Service Providers (CASPs), with a particular focus on custody activities. The CSA is focused on the operational resilience of CASPs, with a specific emphasis on custody services, according to an official announcement.
The move signals a clear shift in posture for European crypto regulation. It comes shortly after the end of MiCA's transition phase on July 1, prompting increased attention to how EU authorities will supervise compliance with the new framework, including potential enforcement questions.
"The CSA will assess the maturity of CASPs' digital operational resilience frameworks in relation to custody activities," ESMA said, adding that reviews will focus on areas including key and storage management, alongside other operational risks. National Competent Authorities (NCAs) will carry out the reviews through the first half of 2027, after which ESMA will consolidate the findings into a final report to be submitted to its Board of Supervisors after the exercise concludes in the second half of 2027.
The End of MiCA's Transitional Period
The CSA follows directly from the closure of MiCA's grandfathering window. On July 1, 2026, the transitional window under MiCA closed for good. Under Article 143(3), CASPs that were operating legally under national regimes before MiCA applied could keep trading while they pursued full authorization. That window is now shut.
The expiry of the transitional arrangements is more than a technical deadline. It is the point at which MiCA becomes the sole gateway to providing regulated crypto-asset services in the EU.Key obligations imposed on authorized CASPs include governance and organizational requirements, minimum prudential safeguards, robust AML and counter-terrorist-financing controls, consumer disclosure obligations, incident-reporting duties, and for custodial service providers, detailed custody and segregation rules.
The supervisory scope of the CSA reflects those custody obligations directly. By auditing key management, storage protocols, and incident response frameworks, ESMA is signaling that it intends to hold authorized custodians to the full letter of MiCA's operational requirements, not just its licensing conditions. ESMA has warned CASPs to clearly communicate the regulatory status of their products, with messaging throughout 2025 emphasizing that many CASPs needed to complete licensing, disclosure, and data retention preparations ahead of the progressive closure of national transitional periods.
As of July 6, 2026, 283 companies hold a MiCA (CASP) license. They were licensed by national regulators in 25 EU/EEA countries and can passport their services across the whole bloc. The CSA will now test whether the operational infrastructure of those authorized firms matches the regulatory standards they signed up to meet.
Sources:Cointelegraph: ESMA Reviews Crypto Custody Security Under EU RulesESMA: Markets in Crypto-Assets Regulation (MiCA) Official PageESMA Public Statement: MiCA Transitional Period Ends (June 2026)