The European Securities and Markets Authority (ESMA) has announced a comprehensive EU-wide supervisory initiative aimed at strengthening the digital operational resilience of crypto-asset service providers, particularly those involved in custody activities.
This move underscores the regulator’s commitment to addressing emerging risks in the fast-growing digital asset sector as the bloc implements its pioneering Markets in Crypto-Assets (MiCA) framework.
Set to begin in the second half of 2026 and continue through the first half of 2027, the Common Supervisory Action (CSA) will involve national competent authorities (NCAs) conducting targeted assessments on a risk-based selection of authorized crypto-asset service providers (CASPs).
The primary focus is on evaluating the maturity and effectiveness of these firms’ frameworks for managing operational risks tied to custody services, which are critical for safeguarding client assets in an environment prone to technological vulnerabilities.
Central to the review are challenges unique to distributed ledger technology (DLT), the backbone of most crypto operations.
Supervisors will scrutinize several key areas, including robust governance structures, secure management of cryptographic keys and asset storage, effective controls over transactions, mechanisms for detecting and responding to incidents, potential vulnerabilities in smart contracts, and the implications of relying on external third-party providers.
These elements are essential for preventing disruptions that could lead to asset losses, service outages, or broader market instability.
This initiative aligns with ESMA‘s broader risk-based supervisory priorities, which highlight digital operational resilience and the crypto sector as high-priority domains.
By coordinating efforts across member states, the CSA seeks to promote greater consistency in how regulators approach supervision in this innovative but volatile market.
The findings from the exercise will be aggregated into a comprehensive report, to be presented to ESMA’s Board of Supervisors in the latter part of 2027, potentially informing future policy adjustments or best practices.
Industry observers note that the timing is significant.
With MiCA now in force, many CASPs have secured authorizations and are scaling operations, yet custody remains a high-risk function due to the decentralized and often borderless nature of blockchain networks.
Past incidents in the crypto space—ranging from hacks and key compromises to smart contract exploits—have demonstrated the need for stringent safeguards.
ESMA’s review is expected to encourage firms to bolster their internal controls and align more closely with standards akin to those in traditional finance, such as those outlined in the Digital Operational Resilience Act (DORA).
For market participants, the CSA signals a shift from initial licensing hurdles to deeper operational scrutiny.
Custodians will likely need to demonstrate not just compliance on paper but proven resilience through testing, documentation, and ongoing risk management.
This could drive investments in advanced security technologies, better governance models, and diversified service partnerships.
The effort reflects the EU’s proactive stance in fostering a safe, trustworthy environment for crypto innovation while protecting investors and maintaining financial stability. As the review unfolds, it may set a benchmark for other jurisdictions grappling with similar challenges in regulating digital assets.