ESMA launches the first coordinated inspection of custodial crypto services under MiCA standards.
The European Securities and Markets Authority (ESMA) is moving from the rule-writing phase to the practical application phase. The regulator has initiated the first coordinated inspection of crypto-asset service providers (CASPs), launching a project called the Common Supervisory Action (CSA). The focus is on the operational resilience of digital asset custody services, which is one of the most critical nodes in the market infrastructure.
What exactly will be checked?
The inspection will be conducted by national competent authorities (NCAs) based on a risk-oriented sample of authorized CASPs. The main focus is on risks inherent in distributed ledger technology (DLT): key management and storage processes, transaction control, as well as mechanisms for incident detection and response. Special attention is given to risks associated with smart contracts and dependence on third-party providers.
The inspection timeline is set for the second half of 2026 to the first half of 2027. This means market participants have time to bring their systems into compliance, but there is no room for complacency.
Why is this important for the market?
The choice of custody as the first supervisory target is no coincidence. This is where the industry's main risks are concentrated: loss of keys, hacks, and failures by third-party contractors. Recent incidents with withdrawal suspensions on certain platforms have clearly demonstrated how vulnerable this function can be for users.
For the market, this inspection means increased compliance costs and higher requirements. Large, well-prepared companies may gain a competitive advantage, while smaller participants with immature resilience systems could face serious difficulties. In the long term, oversight could boost institutional investor confidence in regulated European platforms, but overly strict enforcement of rules risks driving some business to jurisdictions with softer regulation.
My expert opinion: This is the first wake-up call for the entire industry. MiCA is no longer just a set of rules on paper—it is becoming a tool of direct enforcement. Companies that have not paid due attention to operational resilience and key management risk not only fines but also losing their license. The market is moving toward TradFi standards, and those who fail to adapt will be left behind.