News

ESMA Launches Common Supervisory Action to Review MiCA Crypto Asset Custody

ESMA just put every EU-registered crypto custodian on notice. The European Securities and Markets Authority announced a Common Supervisory Action — a coordinated sweep of how crypto-asset service…

ESMA Launches Common Supervisory Action to Review MiCA Crypto Asset Custody

ESMA just put every EU-registered crypto custodian on notice. The European Securities and Markets Authority announced a Common Supervisory Action — a coordinated sweep of how crypto-asset service providers actually handle custody, run by national regulators on a risk-based sample of registered firms. The window: H2 this year through H1 next year, with a full report due H2 2027. For anyone running size through EU venues, this is the regulator doing homework before someone gets burned.

The operational plumbing under the microscope

I read ESMA's scope list and it reads like a post-mortem of every custody disaster I've watched unfold over the last cycle. Governance arrangements. Key and storage management. Transaction controls. Incident detection and response. Smart contract risks. Dependencies on third-party providers.

None of that is marketing copy. This is where capital goes to die — in cold storage key ceremonies nobody audits, in signing infrastructure with single points of failure, in sub-custodian chains where segregation of client assets turns out to be fiction when liquidation engines hit. ESMA is explicitly framing operational resilience and crypto custody as priority risk areas. Read that again.

What to do before the report lands

National regulators pick the targets. Smaller balance sheets, weaker governance, shakier key management — those get pulled first. Expect forced remediation, pressure on compliance budgets, and potentially restricted custody structures as findings roll in. By H2 2027, harmonized expectations across the bloc will lock in.

Practical checklist for capital deployed through EU-registered exchanges: confirm in writing how client assets are segregated; demand the key management policy; ask for incident response runbooks and the date of the last live test; map out sub-custodian dependencies. If the counterparty can't produce those documents within 24 hours, the phrase "operational resilience" on their homepage is decoration, not infrastructure.

If the EU overlay feels like too much friction, jurisdictional alternatives exist. Animoca Brands recently secured a Dubai crypto license for institutional services, joining a push that's been positioning the Gulf as a parallel venue while Europe audits. Run your own counterparty comparison — Dubai's route doesn't override MiCA exposure, but for treasuries hedging jurisdictional concentration it's another rail.

The verdict

Treat every EU-registered exchange as under a microscope through H2 2027. Slippage, order book depth, latency — those still matter, but they're second-order problems if the venue can't prove custody safety when regulators push. Demand documentation now, before the findings drop. Don't be the bagholder when the enforcement wave follows.