// FINANCE

MiCA licensing only the beginning as crypto custodians face scrutiny

By Lysias · July 10, 2026

Key Takeaways

What ESMA Is Actually Reviewing

According to Cointelegraph, the Common Supervisory Action launched by ESMA on Wednesday is designed to test how mature crypto asset service providers’ digital operational resilience frameworks are when it comes to custody activities specifically. This is not a check on whether firms hold a licence under MiCA, but an examination of what happens after that licence has been granted.

Cointelegraph reported that ESMA told the outlet the review will look at a sample of CASPs already authorized under MiCA, focusing on areas including key and storage management, controls around transactions, how firms respond to incidents, and how dependent custodians are on third-party service providers. These are the practical, day-to-day mechanics of keeping client crypto assets safe rather than the paperwork required to obtain authorization in the first place.

The timing matters. Cointelegraph noted that the review comes shortly after MiCA’s transitional period expired, making this one of the first major supervisory exercises to take place under the EU’s crypto framework once firms could no longer rely on grandfathering arrangements from national regimes. In other words, this is the first real test of what licensed operation under MiCA looks like in practice, not just on paper.

Why Custody Is Under the Microscope

Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, told Cointelegraph that the message to custodians is straightforward: a licence marks the start of regulatory scrutiny, not the end of it. He added that the shift underway is one from asserting security to evidencing it, and described this as a healthy development, noting that digital assets are moving deeper into regulated financial infrastructure and are therefore expected to meet the same standards of security, accountability and resilience that traditional financial institutions face.

Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, told Cointelegraph that institutional clients have already been pressing custody providers with more detailed questions, including how client assets are segregated, how access to those assets is controlled, how incidents are handled, and how business continuity is maintained when markets come under stress. She said the broader signal from regulators is that operational standards behind digital asset services are now under closer examination, not merely whether a firm holds a licence.

Markus Levin, co-founder of blockchain infrastructure company XYO, told Cointelegraph that obtaining MiCA authorization and actually demonstrating operational resilience are two separate tests. He suggested that CASPs able to prove they have robust controls in place ahead of regulators completing their review could gain a competitive edge as institutional interest in digital assets continues to grow.

For everyday users, this distinction is meaningful even if it plays out mostly behind the scenes. A licence tells a customer that a firm has met the EU’s baseline requirements to operate. What this review probes is whether the systems protecting a customer’s actual holdings — the private keys, the controls over withdrawals, the plans for when something goes wrong — hold up under closer inspection. That is the difference between a firm being permitted to custody assets and a firm being demonstrably capable of doing so safely.

Two Frameworks, One Supply Chain Problem

Yuriy Brisov, a lawyer at Digital & Analogue Partners, told Cointelegraph that the review sits at the intersection of two separate EU regulatory frameworks. MiCA sets out the custody obligations themselves, while the Digital Operational Resilience Act, or DORA, establishes the technology risk requirements that financial firms more broadly must meet. Brisov said custody technology tends to be concentrated among a relatively small number of vendors, meaning a single weak supplier could affect multiple firms at once. He characterized proving resilience across that supply chain, under both MiCA and DORA simultaneously, as the genuine challenge facing CASPs.

Brisov also told Cointelegraph that the findings from this review are likely to feed into two ongoing regulatory debates: the broader review of MiCA itself, and a separate proposal to shift supervision of all CASPs away from national regulators and toward ESMA directly. If that centralization proposal advances, the standards being tested in this Common Supervisory Action could become a template for how custodians are assessed across the entire bloc, rather than country by country.

Hype Check

Claim: A MiCA licence is presented by some in the industry as proof that a crypto custodian’s security and operations are sound. Reality: Cointelegraph’s reporting shows regulators view licensing as only the starting point, with ESMA’s new Common Supervisory Action specifically designed to test whether authorized custodians’ key management, transaction controls, incident response and third-party dependencies actually meet resilience standards under MiCA and DORA. Industry figures quoted by Cointelegraph, including from Taurus, BitGo and Digital & Analogue Partners, all describe this as a distinct and harder test than authorization itself. Verdict: Substance. This is not financial advice.

Source

Researched with AI assistance, fact-checked and edited by a human. Not financial advice.

📬 Get Cryptoverse Weekly

The week’s most important crypto & AI stories, straight to your inbox. No spam, unsubscribe anytime.

Double opt-in — we’ll email you a confirmation link.