ESMA Opens EU-Wide Review of Crypto Custody Operational Resilience
The European Securities and Markets Authority said on July 8 that it is launching a Common Supervisory Action focused on digital operational resilience at Crypto-Asset Service Providers, with a specific emphasis on custody services.
ESMA said national competent authorities will carry out the exercise on a risk-based sample of authorised CASPs. The review will examine how mature firms’ resilience frameworks are for custody activities, including governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks and dependencies on third-party providers.
The exercise is scheduled to run from the second half of 2026 through the first half of 2027. ESMA said the findings will be consolidated into a final report for its Board of Supervisors after the exercise concludes in the second half of 2027.
Why it matters
For crypto traders, custody controls are part of market access risk. A platform can offer tight spreads and broad token coverage, but weak key management, transaction controls or incident response can still turn an account-level issue into a broader loss event.
The review also signals that EU supervisors are moving from authorisation under MiCA toward active testing of operational resilience in crypto market infrastructure.
What to watch next
Watch whether national supervisors publish firm-level expectations or remediation themes as the CSA progresses. Traders using EU-authorised crypto platforms should also monitor any custody, wallet, withdrawal or third-party-provider disclosures that follow the supervisory work.