Tag: key management

  • ESMA Launches EU-Wide Crypto Custody Review Following MiCA Deadline

    ESMA Launches EU-Wide Crypto Custody Review Following MiCA Deadline

    The European Securities and Markets Authority (ESMA) has initiated a comprehensive review of licensed crypto custody providers across the European Union, just days after the full implementation of the Markets in Crypto-Assets (MiCA) regulation on July 1, 2026. Announced on July 8, 2026, this Common Supervisory Action (CSA) marks a significant shift from the licensing phase to ongoing compliance and supervision in the crypto sector.

    ESMA’s review will focus on how authorized crypto-asset service providers (CASPs) safeguard client assets through secure custody practices, operational resilience, and risk management. National regulators will inspect a risk-based sample of licensed firms during the assessment period, running from the second half of 2026 through the first half of 2027.

    Key Areas of Assessment

    The supervisory action will examine several critical aspects of crypto custody operations under MiCA:

    • Governance arrangements – How firms manage and oversee custody processes.
    • Private key management – Security measures for controlling access to client assets.
    • Storage controls – Physical and logical safeguards for digital asset storage.
    • Transaction monitoring – Systems for detecting and reporting suspicious activities.
    • Incident detection procedures – Protocols for identifying and responding to security breaches.
    • Smart contract risks – Assessment of vulnerabilities in automated agreements.
    • Third-party reliance – Evaluation of technology providers supporting custody operations.

    Post-MiCA Transition Period

    The review follows the expiration of MiCA’s transitional period on July 1, 2026. From that date, any company offering crypto services in the EU without proper MiCA authorization is violating EU law. ESMA has instructed unauthorized firms to cease operations and implement orderly wind-down plans, which must include notifying clients and allowing them to transfer assets to an authorized provider or a self-hosted wallet. Additionally, MiCA prohibits authorized firms from outsourcing custody services to entities lacking CASP authorization.

    No New Obligations, But Higher Scrutiny

    ESMA confirmed that the review introduces no new custody obligations. Instead, regulators will assess whether licensed firms already meet the operational standards established under MiCA. Custody providers remain liable for client asset losses resulting from incidents attributable to them, with liability capped at the market value of the lost assets. The review aims to ensure firms have robust controls to reduce operational failures and protect customer holdings.

    According to CoinPaprika data cited by ESMA, the global cryptocurrency market stood at approximately $2.25 trillion on July 8, 2026, after a 2% decline in the previous 24 hours. This substantial market value underscores the importance of secure custody practices.

    Future Implications

    The Common Supervisory Action will continue until the first half of 2027. ESMA will then compile its findings into a report for its Board of Supervisors during the second half of 2027. The results, which will not identify individual firms, will guide how national regulators apply MiCA standards and supervise crypto custody providers across the EU. This coordinated effort aims to ensure consistent supervisory practices and strengthen the overall security of the European crypto market.