Crypto Custodians Enter New Phase of Regulatory Scrutiny Beyond MiCA Licensing

Crypto Custodians Enter New Phase of Regulatory Scrutiny Beyond MiCA Licensing

While MiCA licenses enable crypto companies to function within the EU, custodians now face ESMA's comprehensive examination to verify they satisfy essential security and operational resilience requirements.

Obtaining authorization under the European Union's Markets in Crypto-Assets Regulation (MiCA) framework represents merely the first step for cryptocurrency custodians, as regulatory authorities shift their focus from granting licenses to evaluating operational resilience capabilities.

On Wednesday, the European Securities and Markets Authority (ESMA) initiated a Common Supervisory Action (CSA) designed to evaluate the operational resilience of crypto asset service providers (CASPs), with custody services positioned as the focal point of this examination.

"The signal is quite clear: for custodians, a licence is the start line, not the finish."

Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus

This examination arrives on the heels of MiCA's transitional period coming to an end, representing one of the initial significant supervisory initiatives conducted under the EU's newly established crypto regulatory framework.

From claiming security to proving it

In a statement to Cointelegraph, the ESMA confirmed that the CSA will be implemented across a selected sample of MiCA-authorized CASPs. The examination will evaluate how mature CASPs' digital operational resilience frameworks are specifically for custody operations, with particular attention to risks encompassing key and storage management, transaction controls, incident response protocols and reliance on third-party service providers.

Industry leaders indicate that this regulatory action represents a substantial transformation in Europe's cryptocurrency market environment, where custody service providers face growing expectations to provide concrete evidence, rather than mere assertions, that their operational controls possess the capability to withstand practical real-world threats and challenges.

"The shift I expect is from asserting security to evidencing it. This is a healthy development."

Sebastien Dessimoz

According to Dessimoz's observations, digital assets are becoming increasingly integrated into regulated financial infrastructure, which necessitates the identical levels of security, accountability and resilience that institutions have come to expect within traditional financial markets.

In conversation with Cointelegraph, Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, explained that institutional clients have already begun posing increasingly detailed and specific questions regarding how custody providers segregate assets, manage access controls, respond to incidents and maintain business continuity during periods of market stress.

"The signal is that regulators are looking more closely at the operational standards behind digital asset services, not just whether firms are licensed."

Jody Mettler, chief operating officer of BitGo and president of BitGo Trust

Markus Levin, co-founder of blockchain infrastructure company XYO, indicated that securing a MiCA authorization and demonstrating operational resilience represent "two different tests," further noting that CASPs with the ability to prove robust controls before regulators complete their review could gain an advantage as institutional adoption grows.

MiCA meets DORA and the debate over centralized crypto supervision

Yuriy Brisov, a lawyer at Digital & Analogue Partners, explained that the review operates under two EU regulatory frameworks simultaneously: the MiCA framework, which establishes custody obligations, and the Digital Operational Resilience Act (DORA), which sets technology risk requirements for financial firms.

"Custody technology is concentrated in a handful of vendors, so one weak supplier can hit many firms at once. Proving resilience across that supply chain, under MiCA and DORA simultaneously, is the real challenge for CASPs."

Yuriy Brisov, lawyer at Digital & Analogue Partners
Digital Operational Resilience Act framework
Source: Digital Operational Resilience Act

In Brisov's assessment, the review has the potential to establish a benchmark for how regulatory authorities evaluate MiCA-authorized custodians and shape ongoing discussions surrounding a more centralized approach to cryptocurrency supervision across the EU.

"The findings will feed into two live debates: the review of MiCA and the proposal to move supervision of all CASPs from national regulators to ESMA."

Yuriy Brisov
← Back to Blog