ESMA Opens a Coordinated Review of CASP Custody Resilience

On 8 July, the European Securities and Markets Authority launched a Common Supervisory Action on the digital operational resilience of crypto-asset service providers offering custody services. The exercise is the first coordinated supervisory review of CASPs since the transitional period closed, focused on custody services, and it turns regulatory attention toward how authorised firms manage the risks that come with holding client assets day to day.
National competent authorities will carry out risk-based reviews of a sample of authorised CASPs, coordinated by ESMA. The review sits within ESMA's stated supervisory priorities, which name both digital operational resilience and CASPs as key areas of risk across the sector.
What the review covers
Custody sits at the centre of how a CASP protects client assets, and the review reflects this. Supervisors will examine how firms govern their custody operations, how private keys and storage systems are secured, and how transactions are authorised and monitored. Alongside this, the review looks at how quickly firms detect and respond to incidents, what exposure they carry through smart contracts, and how dependent their custody function is on outside technology providers.
A custodian's control over private keys shapes whether client assets can be recovered following an incident. Reliance on external node operators, wallet infrastructure, and cloud services shapes how a firm's operations hold up when one of those providers experiences disruption. Governance arrangements shape how consistently documented controls get followed once daily operational pressure sets in.
Timing and next steps
The exercise runs from the second half of 2026 through the first half of 2027. National competent authorities will consolidate their findings into a report for ESMA's Board of Supervisors, expected in the second half of 2027.
The consolidated findings will inform how competent authorities apply MiCA's custody standards in practice, supporting the supervisory convergence that MiCA was designed to deliver across the single market.
What this means for CASPs
MiCA authorisation confirmed that a firm's controls met the required standard at the point of assessment. This review tests how those same controls perform in ongoing operation.
The review's focus areas offer authorised custody providers a practical basis for self-assessment ahead of any national inspection: documented governance arrangements, tested key management procedures, monitored transaction controls, a working incident response process, a clear view of smart contract exposure where relevant, and a mapped inventory of third-party dependencies.
The Alliance will continue to track the review as it develops and will share updates as findings become available.
Learn more about the Common Supervisory Action: https://www.esma.europa.eu/press-news/esma-news/esma-launches-common-supervisory-action-casps-digital-operational-resilience