BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Policy

ESMA MiCA Crypto Custodian Review Begins

The European Securities and Markets Authority launched a Common Supervisory Action on 8 July 2026 targeting the digital operational resilience of crypto-asset service providers, with custody

AnonymousCryptoCompass newsroom
July 11, 2026
4 min read
NEWS
Hero article visual / chart / editorial image
CryptoCompass editorial visual for policy coverage.

The European Securities and Markets Authority launched a Common Supervisory Action on 8 July 2026 targeting the digital operational resilience of crypto-asset service providers, with custody operations as the primary focus. The coordinated review marks ESMA's first major supervisory exercise since the MiCA transitional period ended, shifting the regulator's attention from licensing to how authorised firms actually safeguard client assets.

ESMA opens a MiCA-era resilience review focused on crypto custody

ESMA's new action is not a broad sweep of MiCA compliance. It zeroes in on custody services, the segment of the crypto-asset market where operational failures pose the most direct risk to client funds. For related coverage, see CME Crypto Volume Rose 76% to $10.7B in June: Report.

The review will test six distinct operational-risk areas: governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and dependencies on third-party providers.

Resilience Checks 6 Supervisors will test governance, key and storage management, transaction controls, incident detection and response, smart contract risk, and third-party dependencies.

Key management stands out as the most technically sensitive area. A custodian's ability to generate, store, and use cryptographic keys without exposing them to compromise is the foundation of the entire service. ESMA is treating it as a distinct supervisory priority alongside broader storage controls.

National competent authorities across the EU will carry out the reviews, examining a risk-based sample of authorised CASPs. The exercise is coordinated at the EU level but executed locally, giving each member-state regulator discretion over which firms to assess.

Why the timing matters after MiCA's transition period ended

The supervisory action arrived just days after the MiCA transitional period closed on 1 July 2026. ESMA had already warned that unauthorised crypto providers must halt EU operations once the deadline passed, effectively clearing the market of firms that failed to secure authorisation.

Before MiCA, the EU had no harmonised rules for crypto custody and administration beyond anti-money-laundering requirements. The regulation created an EU-wide framework that brought these services under consistent financial-services oversight for the first time.

That context explains the sequencing. ESMA spent the transition period focused on getting firms authorised or wound down. With the MiCA July 1 deadline now behind it, the regulator is pivoting to whether the firms that made it through actually meet the operational standards the regime demands.

Competitor coverage from crypto trade press confirmed the review but largely missed this connection to the transition-end timing. The action is not a standalone initiative; it is the logical next phase of MiCA implementation, moving from authorisation gatekeeping to active operational supervision of the firms now inside the regime.

What authorised crypto custodians should watch through 2027

The review window runs from the second half of 2026 through the first half of 2027. ESMA expects to publish a final report in the second half of 2027, which will likely set expectations for future supervisory cycles.

CSA Review Window H2 2026 - H1 2027 Regulators will review a risk-based sample of authorised crypto firms across the two half-year periods following MiCA transition.

For authorised custodians, the focus areas signal where supervisory scrutiny will be heaviest. Governance arrangements and incident response capabilities are standard financial-services checkpoints, but smart contract risk and third-party dependency assessments reflect the specific operational realities of crypto custody.

Firms that rely on external infrastructure providers for wallet management, transaction signing, or blockchain node access should expect regulators to examine those relationships closely. Third-party concentration risk, where multiple custodians depend on the same small set of technology vendors, is a systemic concern ESMA has flagged across traditional finance and is now applying to crypto.

The 57 firms approved under MiCA so far include both crypto-native custodians and traditional financial institutions expanding into digital assets. Both groups face the same resilience standards, but their operational architectures differ significantly, which will shape how regulators apply the review criteria.

Firms such as Ripple, which secured full MiCA approval in Luxembourg, now operate under these new supervisory expectations. The ESMA report due in the second half of 2027 will establish benchmarks for what adequate crypto custody resilience looks like across the EU, setting the baseline for any enforcement actions or regulatory guidance that follows.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Read original article on nftenex.com