HomeBlockchainRegulationESMA crypto custody review: are 280 MiCA firms really ready?

ESMA crypto custody review: are 280 MiCA firms really ready?

Europe’s crypto industry is about to face its most rigorous operational stress test yet. On 8 July 2026, the European Securities and Markets Authority launched a Common Supervisory Action targeting crypto custody — the function at the very heart of how firms protect client assets — marking a decisive shift in the ESMA crypto custody review from regulatory theory into hard enforcement reality.

Key takeaways

  • ESMA launched a coordinated Common Supervisory Action on 8 July 2026, placing crypto custody services under direct scrutiny across the EU.
  • The review runs from the second half of 2026 through the first half of 2027, with a consolidated report expected in the second half of 2027.
  • National competent authorities will conduct risk-based reviews of a sample of the 280 authorised providers now registered under MiCA.
  • Ripple received full CASP authorisation from Luxembourg’s CSSF on 6 July 2026, cleared to operate across the 30-country European Economic Area.
  • Spain’s CNMV confirmed no deadline extensions for unlicensed crypto platforms, signalling a hardening enforcement posture across the bloc.

ESMA launches Common Supervisory Action on crypto custody under MiCA

The timing is deliberate. MiCA’s transitional period has closed, the register of authorised providers has swelled to 280 firms, and ESMA now wants to know whether the companies that earned those authorisations have actually built the operational controls their licences imply. The custody review is that verification exercise — structured, coordinated, and designed to produce findings at EU level rather than scattered national snapshots.

What makes this action significant is not just the scope but the intent. ESMA framed it explicitly as a response to digital operational resilience and crypto-asset service providers appearing as twin priorities in its own risk-based supervisory agenda. The regulator is not investigating a specific failure. It is running a proactive audit of an entire regulated sector at the moment it becomes fully subject to oversight.

Scope and focus of the custody review

The Common Supervisory Action zeroes in on the technical and governance layers where custody risk actually lives. The review covers governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and dependencies on third-party providers. Each of these areas maps directly onto how a custodian holds, moves, and safeguards crypto assets on behalf of clients.

Key management alone — how private keys are generated, stored, and protected — represents one of the most consequential operational risks in the entire crypto stack. A governance failure there is not an abstract compliance issue; it is a potential loss of client funds. ESMA’s decision to put these controls under a structured review signals that the regulator understands the technical specificity of crypto risk in a way that earlier, more generalist regulatory frameworks did not.

Third-party dependencies are equally telling as a focus area. Many custodians rely on external technology providers for core custody infrastructure, and that outsourcing chain can introduce vulnerabilities that sit outside the authorised firm’s direct control. Bringing that into scope closes a gap that could otherwise become a regulatory blind spot.

Timeline and reporting schedule

The review runs from the second half of 2026 through the first half of 2027. A consolidated report will then go to ESMA’s Board of Supervisors in the second half of 2027. That sequencing matters: the findings will feed into supervisory convergence at EU level, helping ensure that a custodian authorised in one member state faces the same resilience expectations as one authorised in another.

National regulators’ risk-based supervision and MiCA enforcement updates

National competent authorities will carry out the review across their jurisdictions, targeting a risk-based sample of authorised providers rather than the full population. This design keeps hands-on supervision with member-state regulators while channelling results back to the EU level — the same split-responsibility architecture that has defined MiCA’s rollout from the start.

Role of national competent authorities in the review

Concentrating supervisory attention on a risk-based sample rather than every registered firm is both practical and strategic. It lets national regulators focus resources where the resilience gap could be most damaging, while the common methodology ensures the resulting data is comparable across borders. That comparability is what allows ESMA to build a credible EU-wide picture from what are essentially 30-plus separate national exercises.

The action lands as MiCA enforcement visibly hardens. Spain’s CNMV ruled out any extensions for unlicensed crypto platforms, with chair Carlos San Basilio making clear there would be no exceptions to the deadline. That stance, combined with ESMA’s custody review, paints a picture of regulators moving in the same direction at the same time — not coordination by coincidence, but the predictable consequence of a framework that was always designed to create convergent outcomes.

Current status of authorised crypto-asset service providers

The MiCA register has expanded to 280 authorised providers following the transitional period, up from 243, drawing in a broad mix of custodians, exchanges, and token issuers under a single EU oversight structure. Standard Chartered, FalconX, and Sygnum Europe are among the newly listed firms, with Cyprus leading the latest wave of approvals at six new authorisations.

One of the more consequential individual authorisations came just two days before ESMA’s announcement. Ripple secured full CASP authorisation from Luxembourg’s CSSF on 6 July 2026, clearing it to operate across the entire 30-country European Economic Area. For firms at Ripple’s scale, that licence is not simply a compliance checkbox — it is a passport to the largest single regulated crypto market in the world.

The custody review gives ESMA its first structured read on resilience controls since firms began moving off national transitional registrations onto the shared EU register. For the 280 authorised providers now sitting inside the MiCA perimeter, the question is no longer whether they are regulated. It is whether the operational reality inside their custody operations actually matches the standards their authorisation assumes.

FAQ

What is the focus of ESMA’s crypto custody review?

The review focuses on assessing the digital operational resilience of authorised crypto-asset service providers, with custody services as the central focus. It covers governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and dependencies on third-party providers.

Who is responsible for conducting the custody review in each EU member state?

National competent authorities conduct risk-based reviews of authorised crypto-asset service providers within their own jurisdictions, working to a common methodology coordinated by ESMA.

How many authorised crypto-asset service providers are registered under MiCA?

Following the transitional period, the MiCA register includes 280 authorised crypto-asset service providers, covering custodians, exchanges, and token issuers across the EU.

Has Ripple been authorised to operate under MiCA enforcement?

Yes. Ripple received full CASP authorisation from Luxembourg’s CSSF on 6 July 2026, clearing it to operate across the 30-country European Economic Area.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.

Francesco Antonio Russo
Web 3.0 entrepreneur for over 4 years, expert in Cryptocurrencies and Artificial Intelligence. He uses his cross-functional skills for functional and trend-following Social Media Management.
RELATED ARTICLES

Stay updated on all the news about cryptocurrencies and the entire world of blockchain.

Featured video

LATEST