ESMA Crypto Custody Review Begins After MiCA Enforcement
The European Securities and Markets Authority on 8 July 2026 launched a Common Supervisory Action targeting the digital operational resilience of crypto-asset service providers, with a specific focus on custody, just one week after MiCA’s final transition window closed.
The European Securities and Markets Authority on 8 July 2026 launched a Common Supervisory Action targeting the digital operational resilience of crypto-asset service providers, with a specific focus on custody, just one week after MiCA’s final transition window closed.
The coordinated review will assess how authorised CASPs manage DLT-specific custody risks including governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and third-party dependencies, according to ESMA’s announcement. For related coverage, see Reuters: Binance Could Lose EU Access if Greece MiCA Bid Fails.
National Competent Authorities across the EU will carry out the exercise on a risk-based sample of authorised CASPs from the second half of 2026 through the first half of 2027. ESMA plans to publish a final report in the second half of 2027.
Why ESMA’s crypto custody review matters now
The timing is not coincidental. MiCA’s CASP provisions began applying on 30 December 2024, but existing providers could rely on national transitional arrangements for up to 18 months. That maximum grace period expired on 1 July 2026, just days before the review launched.
ESMA, the EU’s securities markets supervisor, coordinates national regulators on consistent application of EU financial rules. In the crypto context, it maintains the MiCA register of authorised firms and sets supervisory priorities across member states.
Custody sits at the center of investor protection in crypto markets. Unlike traditional securities held at regulated depositories, crypto custody involves private key management, on-chain transaction signing, and smart contract interactions, all of which introduce operational risks that existing financial frameworks were not built to address.
ESMA’s 23 June 2026 public statement made the stakes explicit: unauthorised CASPs must stop onboarding new EU clients after the transition ends and may retain custody only for the period strictly necessary to complete an orderly exit. The same statement reminded the market that MiCA prohibits CASPs from outsourcing or delegating custody to entities that are not themselves authorised.
That prohibition on delegation adds weight to the custody-focused review. As the MiCA transition period ended on 1 July, any custody provider relying on unlicensed sub-custodians faced immediate compliance exposure.
What crypto firms and investors should watch next
As of late June, 244 MiCA-authorised CASPs were on the register. That number represents the surviving pool now subject to active supervisory scrutiny rather than licensing grace periods.
Erald Ghoos, cited by CoinDesk, offered a blunt assessment of the shakeout ahead:
“I estimate that 80% of the crypto players won’t survive after MiCA.”
For the firms that did secure authorisation, the CSA review signals that holding a MiCA licence is the beginning of compliance, not the end. NCAs will examine whether custody operations meet the regulation’s operational resilience standards in practice, not just on paper.
The review’s risk checklist, covering governance, key management, incident response, smart contract exposure, and third-party dependencies, gives authorised custodians a concrete preview of what supervisors will test. Firms whose custody infrastructure relies on outsourced components face particular scrutiny given ESMA’s recent reminder that MiCA bars delegation of custody to unauthorised entities.
Martin Kreitmair of Tangany, in the context of Ledger Enterprise’s partnership announcement, noted that “Europe is rapidly emerging as a leading regulated market for institutional digital assets.” That framing reflects how compliant custody providers are positioning MiCA-aligned infrastructure as a competitive advantage for institutional clients.
Investors evaluating EU-based crypto custodians should watch for transparency around key management practices, asset segregation policies, and incident response capabilities. The CSA’s findings, expected in the second half of 2027, will likely shape follow-up guidance or enforcement priorities.
For firms that failed to secure authorisation, the window is closing fast. ESMA’s June statement permits custody retention only during an orderly wind-down, and several major platforms have already halted EU services after missing the MiCA deadline. The coordinated review now shifts regulatory attention from who is licensed to whether licensed firms can actually safeguard client assets under DLT-specific operational stress.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.






