ESMA turns spotlight on crypto custody risks after MiCA transition

Summary

ESMA is launching a EU-wide common supervisory action to review crypto-asset service providers, with a focus on custody services and operational resilience under MiCA. National regulators will inspect a risk-based sample of authorized CASPs through the first half of 2027, examining key and storage management, governance, transaction controls, incident detection and response, and reliance on third-party providers. ESMA will compile the results into a final report for its Board of Supervisors in the second half of 2027. The review begins soon after MiCA’s transition period ended on July 1, increasing scrutiny of how firms comply with the new regime.