
ESMA, the EU’s market regulator, is starting a dedicated supervisory process aimed at how crypto custody providers manage operational risks. The move is designed to feed into the wider rollout of the EU’s Markets in Crypto-Assets (MiCA) framework, which has been entering its enforcement phase as regulators move beyond initial transition deadlines.
According to an ESMA announcement on Wednesday, the regulator is launching a Common Supervisory Action (CSA) that will specifically examine the digital operational resilience frameworks of crypto-asset service providers (CASPs), with custody services at the center of the review.
The timing matters. ESMA’s announcement comes shortly after the end of MiCA’s transition phase on July 1, which has shifted attention toward how firms will demonstrate compliance under the new EU rulebook. As regulators move from transitional arrangements to ongoing supervision, custody has become a particularly important area due to its direct role in safeguarding assets and the high operational and technological risks involved.
In its statement, ESMA said the CSA will assess the maturity of CASPs’ digital operational resilience frameworks as they relate specifically to custody activities. The regulator highlighted that reviews will include key and storage management—core components of most custody operations—along with other operational risk domains.
For market participants, this type of supervisory focus can be more than a compliance formality. Custody providers often sit between trading platforms, wallets, and end-users, meaning operational failures can propagate quickly across connected services. By evaluating resilience frameworks rather than only looking at formal authorization status, ESMA is signaling that the quality of operational controls will be a central supervisory concern.
ESMA said the supervisory action will be implemented by national competent authorities across the EU. Rather than performing a uniform check of all relevant firms, supervisors will conduct reviews using a risk-based sample of authorized CASPs.
The exercise is scheduled to run from now until the first half of 2027. During that window, regulators will examine how companies handle custody-related operational risks in practice. ESMA indicated that the reviews are expected to cover areas including:
This scope suggests a focus on both preventative controls and recovery readiness. In digital operational resilience frameworks, incident detection, escalation, and response planning are especially important because many custody threats are operational in nature—ranging from system outages and misconfigurations to disruptions affecting critical dependencies.
After national authorities complete their assessments, ESMA will consolidate results into a final report. The filing is intended for submission to ESMA’s Board of Supervisors after the exercise concludes in the second half of 2027.
While the CSA is being delivered through national regulators, the consolidation into an ESMA-level output matters for the industry. It helps create a more coordinated EU-wide view of whether operational resilience expectations are being met consistently across member states, and it may influence how supervisors follow up where weaknesses are identified.
ESMA’s custody review also arrives as parts of the market continue to adjust to MiCA’s requirements. The source noted that some custody providers have begun supporting crypto platforms adapting to the evolving EU regulatory environment.
Earlier coverage cited in the material points to activity from BitGo: last month, the company launched a Europe-focused crypto-as-a-service platform intended to help platforms maintain access to the market while working through MiCA-related compliance requirements. While ESMA’s CSA is not framed as a response to any single firm or incident, it reflects the broader supervisory direction—ensuring that custody services meet operational resilience expectations under the MiCA framework.
For operators and users, the underlying message is straightforward: as MiCA transitions into full supervision, regulators will increasingly look at the operational substance of compliance, especially in areas that directly manage private keys, storage infrastructure, and the systems used to detect and respond to incidents.
As the CSA progresses, firms should expect follow-up scrutiny around governance, controls, and resilience testing—particularly where custody depends on external vendors or complex operational workflows. The key open question for the market is how consistently national authorities will apply the same supervisory expectations, and what themes will emerge once ESMA consolidates the findings later in 2027.
This article was originally published as ESMA Flags Crypto Custody Risks Following MiCA Transition on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.