
ESMA Launches Supervisory Review of MiCA Crypto Custodians
The European Securities and Markets Authority has initiated a supervisory review of MiCA-authorized crypto custodians, shifting focus from licensing to operational resilience testing. The review will assess how firms handle real-world operational risks and compliance requirements under the Markets in Crypto Assets regulation.
Key Takeaways
- 1## ESMA's New Supervisory Phase The European Securities and Markets Authority announced a supervisory review targeting MiCA-authorized crypto custodians, marking a transition from the licensing phase to ongoing oversight.
- 2The review will examine how custodians manage operational risks in practice, including safeguarding of customer assets, business continuity, and incident response procedures.
- 3ESMA's move reflects the regulator's intent to verify that authorized firms meet the resilience standards codified in MiCA beyond their initial authorization submissions.
- 4## What the Review Will Cover The supervisory program will likely focus on operational resilience — the ability of custodians to identify, manage, and recover from disruptions to critical business functions.
- 5Key areas include cybersecurity posture, segregation and custody protocols, third-party service provider oversight, and testing of disaster recovery and backup systems.
ESMA's New Supervisory Phase
The European Securities and Markets Authority announced a supervisory review targeting MiCA-authorized crypto custodians, marking a transition from the licensing phase to ongoing oversight. The review will examine how custodians manage operational risks in practice, including safeguarding of customer assets, business continuity, and incident response procedures. ESMA's move reflects the regulator's intent to verify that authorized firms meet the resilience standards codified in MiCA beyond their initial authorization submissions.
What the Review Will Cover
The supervisory program will likely focus on operational resilience — the ability of custodians to identify, manage, and recover from disruptions to critical business functions. Key areas include cybersecurity posture, segregation and custody protocols, third-party service provider oversight, and testing of disaster recovery and backup systems. ESMA will also examine compliance with MiCA's requirements around governance, risk management frameworks, and reporting obligations to national regulators.
Timing and Industry Context
The announcement comes as MiCA custodian licenses are now live across European member states. ESMA's shift to supervisory testing reflects a maturing regulatory environment where initial compliance with licensing criteria is only the first checkpoint. The review signals that regulators will conduct on-site inspections and request documentation to verify operational claims, setting expectations for the broader EU crypto infrastructure sector.
Why It Matters
For Traders
Custodians that fail operational resilience testing may face restrictions or license suspension, reducing custody options available in EU-regulated venues over the coming 12-24 months.
For Investors
ESMA's supervisory rigor establishes a higher operational bar for EU custodians, signaling the regulator's commitment to MiCA compliance and potentially reducing counterparty risk for institutional entry.
For Builders
Custody infrastructure providers must document and test resilience protocols to pass ESMA reviews; this raises operational complexity and compliance overhead for custody-adjacent service providers.






