ESMA turns scrutiny on crypto custody as MiCA oversight cycle begins
With the Markets in Crypto-Assets regulation now setting the formal compliance perimeter for digital asset firms across the European Union, the bloc's top securities regulator is shifting from lawmaker to examiner. The European…
HONG KONG— July 8, 2026
With the Markets in Crypto-Assets regulation now setting the formal compliance perimeter for digital asset firms across the European Union, the bloc's top securities regulator is shifting from lawmaker to examiner. The European Securities and Markets Authority has said it will assess crypto custody providers on key management, incident response, and their reliance on third-party technology suppliers. The move signals that MiCA's supervisory cycle is entering a more active phase.
What ESMA is examining
Key management in a custody context covers how providers secure and control access to client assets at the cryptographic layer. Incident response concerns how quickly and transparently firms contain and communicate security failures when they occur. Third-party technology reliance addresses how much of a provider's operational continuity depends on external vendors rather than systems the firm controls directly.
ESMA's choice to focus on these specific areas points to the parts of custody operations that are hardest to observe from outside the firm, and most likely to generate wider problems if they fail at scale.
The post-MiCA supervision question
MiCA replaced the earlier patchwork of national-level crypto rules with a single EU-wide licensing framework. Custody providers were among the entities that faced the heaviest new obligations under that transition. ESMA's review represents the expected next phase: once firms are inside the regulatory perimeter, the question shifts from whether they qualify for authorization to whether they operate in line with what that authorization requires.
The attention to third-party technology suppliers carries a read-through for the broader custody sector. Concentration at the infrastructure level, where multiple custodians rely on the same external vendors, creates systemic exposure that individual firm audits tend to miss. ESMA appears to be mapping exactly that risk.
For any custody provider operating within the EU, the review adds a second compliance test. Clearing MiCA authorization was the first pass. Demonstrating that day-to-day operations hold up under supervisory examination is the harder one, and ESMA has now said it intends to run it.
Related reading
Source · 來源