ESMA Targets MiCA Crypto Custodians With Operational Resilience Review

Key Takeaways

  • ESMA launched a Common Supervisory Action to assess the operational resilience of MiCA-authorized crypto asset service providers, centering on custody.
  • The review examines key and storage management, transaction controls, incident response, and third‑party dependencies for custody activities.
  • Industry executives say the shift moves custodians from “asserting” to “evidencing” security and could shape debates over centralized EU crypto supervision.

The European Securities and Markets Authority (ESMA) on Wednesday launched a Common Supervisory Action (CSA) under the European Union’s Markets in Crypto-Assets Regulation (MiCA) to test the operational resilience of crypto asset service providers, with custody services at the core of the review. The move signals that for EU crypto custodians, authorization is just the starting point as supervisors pivot to whether firms can withstand real‑world risks.

What Happened

ESMA said the CSA will apply to a sample of crypto asset service providers (CASPs) authorized under MiCA. The exercise is designed to assess the maturity of firms’ digital operational resilience frameworks for custody, including how providers manage private keys and storage, implement transaction controls, respond to incidents, and handle dependencies on third‑party technology vendors.

Industry voices framed the development as a structural shift in Europe’s crypto market. “The signal is quite clear: for custodians, a licence is the start line, not the finish,” said Sebastien Dessimoz, co‑founder and managing partner at digital asset infrastructure firm Taurus. Executives expect regulators to require demonstrable evidence that control environments perform under stress, not just statements of policy.

The CSA arrives shortly after MiCA’s transitional period expired, marking one of the first major supervisory actions under the EU’s new crypto rulebook.

Market Reaction

Early industry commentary points to heightened scrutiny of custody risk. Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, said institutional clients have already been seeking more detail on segregation of assets, access controls, incident response, and business continuity during market stress. “The signal is that regulators are looking more closely at the operational standards behind digital asset services, not just whether firms are licensed,” she said.

Markus Levin, co‑founder of blockchain infrastructure company XYO, characterized MiCA authorization and operational resilience as “two different tests,” adding that CASPs able to prove strong controls before the review concludes could gain an edge as institutional adoption grows.

Trading and On-Chain Activity

The CSA’s scope is operational rather than price- or activity‑oriented. ESMA’s focus on custody mechanics—private key and storage management, transaction governance, incident playbooks, and vendor dependencies—targets the infrastructure layer that underpins trading and settlement. While on‑chain metrics or exchange volumes are not part of the stated review, the emphasis on asset segregation, access permissions, and recovery processes speaks directly to safeguards that protect client funds during volatile markets or operational disruptions.

Why This Matters Now

The shift from authorization to resilience tightens the bar for providers seeking to serve EU clients under MiCA. As Dessimoz put it, the evolution is from “asserting security to evidencing it.” In practice, that means custody providers must be able to demonstrate how policies translate into auditable controls, tested recovery procedures, and resilient architectures—especially where critical functions are outsourced to a limited number of vendors.

The timing is pivotal. With MiCA’s transitional period now over, the EU’s supervisory machinery is moving from framework design to enforcement. A custody‑first approach addresses one of the most sensitive risk points in digital assets: control over private keys and the operational processes that ensure client assets remain safe during market stress, cyber incidents, or third‑party outages.

Broader Market Context

According to Yuriy Brisov of Digital & Analogue Partners, the CSA sits at the intersection of MiCA and the EU’s Digital Operational Resilience Act (DORA). MiCA defines custody obligations for CASPs, while DORA sets technology risk requirements for financial firms. Brisov noted that custody technology is concentrated among a handful of vendors, creating the risk that “one weak supplier can hit many firms at once.” Proving resilience across that supply chain under both regimes “is the real challenge for CASPs,” he said.

The findings from this supervisory action could set a benchmark for how national authorities and ESMA assess MiCA‑authorized custodians, Brisov added, and may influence ongoing policy discussions over whether crypto supervision should be centralized at the EU level. “The findings will feed into two live debates: the review of MiCA and the proposal to move supervision of all CASPs from national regulators to ESMA,” he said.

Implications for Investors and Traders

For market participants, custody risk is execution risk. The CSA underscores that licensing under MiCA is necessary but insufficient; the durability of key management, segregation, access permissions, and incident response will shape counterparty risk assessments. Institutional clients already appear to be pressing for detailed operational transparency, according to Mettler, suggesting a rising premium for providers that can document and test their controls.

Traders transacting with EU‑authorized custodians may prioritize counterparties that can demonstrate robust resilience testing, clear incident communications, and mapped third‑party dependencies. CASPs that can show audited processes—especially around hot/cold storage governance, transaction approvals, and disaster recovery—could be better positioned to retain institutional flows during periods of stress. Conversely, gaps exposed by the CSA may prompt risk reassessments, mandate changes, or the reallocation of assets to firms with stronger evidence of control effectiveness.

What’s Next

ESMA’s review will examine a sample of MiCA‑authorized CASPs, with custody at the center. The results are expected to inform supervisory practice across the bloc and may help shape the EU‑level debate on centralizing crypto oversight. Providers seeking to get ahead of the process may look to tighten documentation, conduct resilience drills that evidence results, and assess concentration risks in their vendor stacks.

For official details on the scope of the supervisory action, see ESMA’s announcement: ESMA launches Common Supervisory Action on CASPs’ digital operational resilience. For background on the technology risk framework applying to financial firms in the EU, see the EU’s overview of DORA: Digital Operational Resilience Act.