MiCA licensing only the beginning as custodians face scrutiny
MiCA licensing only the beginning for EU crypto custodians: a Markets in Crypto-Assets permit allows firms to operate across the bloc, but the European Securities and Markets Authority's new review will test whether licensed providers can meet required security and operational resilience standards—not just on paper. Regulators are shifting from authorization to enforcement as MiCA's transitional period ends.
Getting licensed under the European Union's MiCA framework is widely seen as a milestone, yet industry observers warn it may be the start line rather than the finish. The European Securities and Markets Authority on Wednesday launched a Common Supervisory Action to examine the operational resilience of crypto asset service providers, with custody services at the center of the review.
Key Takeaways
- ESMA launched a Common Supervisory Action focused on custody operational resilience shortly after MiCA's transitional period expired.
- National regulators will assess a risk-based sample of authorized CASPs on controls including key management, incident response, and third-party dependencies.
- Lawyers say the review sits under both MiCA custody obligations and the EU's Digital Operational Resilience Act.
- Industry voices describe a MiCA licence as the start line, not the finish, for custodians serving EU clients.
- The exercise marks one of the first major supervisory tests under the EU's new crypto framework.
Why is ESMA reviewing crypto custodians now?
The supervisory push arrives just after MiCA's transitional period expired, marking one of the first major exercises under the EU's new crypto framework. For firms that raced to secure authorization, the message is clear that approval alone will not end regulatory attention.
"The signal is quite clear: for custodians, a licence is the start line, not the finish," Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, told Cointelegraph. The timing suggests supervisors want proof that licensed platforms can protect client assets in practice.
What will regulators examine during the custody review?
ESMA told Cointelegraph that the review will apply to a sample of authorized CASPs under MiCA. National competent authorities will carry out risk-based assessments focused on the maturity of digital operational resilience frameworks for custody activities.
Specific areas include key and storage management, transaction controls, incident response, and dependencies on third-party providers. ESMA will consolidate findings from national supervisors into a final report after the exercise concludes.
How do MiCA and DORA rules overlap for custodians?
Yuriy Brisov, a lawyer at Digital & Analogue Partners, said the ESMA action sits under two EU frameworks at once. MiCA establishes custody obligations for crypto asset service providers, while the Digital Operational Resilience Act sets technology risk requirements for financial firms.
According to Brisov, the review could set a benchmark for how regulators assess MiCA-authorized custodians and influence discussions around a more centralized approach to crypto supervision in the EU. Firms that fall short may face pressure to upgrade governance, systems, or vendor arrangements.
Where does this fit in today's crypto regulatory picture?
While Washington debates measures such as the CLARITY Act and scrutiny grows over the crypto lobby's political spending, Europe is moving from rulemaking to live supervision. Readers tracking daily shifts in Fintech & Crypto Alerts will note that custody—where client losses hit hardest—is the first major post-MiCA stress test.
For more detail on the supervisory program, see Cointelegraph's reporting on ESMA's custody review. Licensed custodians should treat the exercise as a rehearsal for how EU oversight will work in practice.