The European Securities and Markets Authority has launched a common supervisory action targeting crypto-asset service providers, with a specific focus on digital operational resilience and custody controls across the EU.

ESMA, the EU’s financial markets regulator, announced the coordinated review as a supervisory exercise rather than an enforcement action or new regulation. The move signals that national competent authorities across member states will examine how licensed CASPs handle custody obligations and operational resilience requirements. For related coverage, see 35% of European Investors Would Switch Banks for Better Crypto Services.
The review is not a penalty or a rule change. It is a structured process in which regulators assess whether firms already operating under authorization are meeting the standards expected of them, particularly around safeguarding client assets. For related coverage, see CFTC Sues Trevor Vernon and Argent Capital Over Alleged $14M Crypto Pool Fraud.
Why Custody Controls Are the Focus
Custody sits at the center of crypto operational risk. When a provider holds digital assets on behalf of clients, failures in key management, segregation of funds, or disaster recovery can result in permanent loss. Traditional finance has decades of custodial infrastructure; crypto custody is still maturing.
ESMA’s decision to zero in on custody and digital operational resilience reflects the regulator’s view that these functions carry outsized risk. The 244 crypto firms authorized across the EEA ahead of the MiCA deadline now face practical scrutiny on whether their internal controls match regulatory expectations.
The review covers how CASPs document their custody procedures, manage cybersecurity threats, and maintain business continuity. For firms that also provide institutional-grade crypto custody services, the bar for operational resilience is especially high.
What EU Crypto Firms Should Watch Next
The common supervisory action means national regulators will conduct parallel assessments using a shared methodology. Firms should expect requests for documentation on custody arrangements, IT risk frameworks, and incident response procedures.
This is supervisory follow-through, not a guaranteed path to fines or license revocations. However, firms that fall short of expectations during the review could face remedial requirements or heightened ongoing supervision. The exercise also feeds into ESMA’s broader understanding of systemic risks in the crypto sector.
CASPs operating in the EU should monitor ESMA’s subsequent publications for findings and any updated supervisory expectations. National regulators may also issue jurisdiction-specific guidance based on what the coordinated review uncovers. For firms navigating the evolving EU regulatory landscape for crypto, this review adds another layer of compliance attention.
The scope of the action, as reported by CoinTelegraph, underscores that post-MiCA supervision is moving from licensing to active oversight. Firms that secured authorization should treat this as the beginning of ongoing regulatory engagement, not the end of it.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.