Crypto加密

ESMA turns scrutiny on crypto custody as MiCA oversight cycle begins

With the Markets in Crypto-Assets regulation now setting the formal compliance perimeter for digital asset firms across the European Union, the bloc's top securities regulator is shifting from lawmaker to examiner. The European…

By Sofia Almeida·July 8, 2026·二〇二六年七月八日·2 min read

HONG KONGJuly 8, 2026

With the Markets in Crypto-Assets regulation now setting the formal compliance perimeter for digital asset firms across the European Union, the bloc's top securities regulator is shifting from lawmaker to examiner. The European Securities and Markets Authority has said it will assess crypto custody providers on key management, incident response, and their reliance on third-party technology suppliers. The move signals that MiCA's supervisory cycle is entering a more active phase.

What ESMA is examining

Key management in a custody context covers how providers secure and control access to client assets at the cryptographic layer. Incident response concerns how quickly and transparently firms contain and communicate security failures when they occur. Third-party technology reliance addresses how much of a provider's operational continuity depends on external vendors rather than systems the firm controls directly.

ESMA's choice to focus on these specific areas points to the parts of custody operations that are hardest to observe from outside the firm, and most likely to generate wider problems if they fail at scale.

The post-MiCA supervision question

MiCA replaced the earlier patchwork of national-level crypto rules with a single EU-wide licensing framework. Custody providers were among the entities that faced the heaviest new obligations under that transition. ESMA's review represents the expected next phase: once firms are inside the regulatory perimeter, the question shifts from whether they qualify for authorization to whether they operate in line with what that authorization requires.

The attention to third-party technology suppliers carries a read-through for the broader custody sector. Concentration at the infrastructure level, where multiple custodians rely on the same external vendors, creates systemic exposure that individual firm audits tend to miss. ESMA appears to be mapping exactly that risk.

For any custody provider operating within the EU, the review adds a second compliance test. Clearing MiCA authorization was the first pass. Demonstrating that day-to-day operations hold up under supervisory examination is the harder one, and ESMA has now said it intends to run it.

Related reading

Source · 來源

NewsHK

Share · 分享

Key takeaways

Frequently asked

What specific areas is ESMA examining in crypto custody providers?

ESMA is examining key management, incident response, and providers' reliance on third-party technology suppliers.

What does key management mean in a custody context?

Key management covers how providers secure and control access to client assets at the cryptographic layer.

Why is ESMA focused on third-party technology suppliers?

Because concentration at the infrastructure level, where multiple custodians rely on the same external vendors, creates systemic exposure that individual firm audits tend to miss.

What did MiCA change for crypto firms in the EU?

MiCA replaced the earlier patchwork of national-level crypto rules with a single EU-wide licensing framework, and custody providers faced among the heaviest new obligations under that transition.

What is the significance of ESMA's review for custody providers?

It adds a second compliance test beyond clearing MiCA authorization, requiring firms to demonstrate that their day-to-day operations hold up under supervisory examination.