Login
Sign Up
Woofun AI reports that the European Securities and Markets Authority (ESMA) has initiated a Common Supervisory Action (CSA) to scrutinize the operational resilience of crypto asset service providers (CASPs) licensed under the European Union's Markets in Crypto-Assets Regulation (MiCA). This supervisory exercise marks a definitive pivot from static authorization to dynamic operational assessment, placing custody services at the epicenter of regulatory attention. Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, characterized the development as a clear signal that a license serves as a starting line rather than a finish line for custodians. The timing of this intervention is critical, occurring shortly after the expiration of MiCA’s transitional period, thereby establishing one of the first major enforcement benchmarks under the EU’s new crypto framework. By targeting a sample of authorized CASPs, ESMA aims to evaluate the maturity of digital operational resilience frameworks specifically for custody activities, moving beyond theoretical compliance to practical risk management.
The CSA will rigorously assess specific operational vulnerabilities, including key and storage management, transaction controls, incident response protocols, and dependencies on third-party providers. This granular focus reflects a broader industry consensus that asserting security is no longer sufficient; providers must evidence their ability to withstand real-world risks. Sebastien Dessimoz emphasized that this shift from assertion to evidence is a healthy development, noting that digital assets are increasingly integrated into regulated financial infrastructure. Consequently, the same levels of security, accountability, and resilience expected in traditional markets are now mandatory for crypto custodians. Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, corroborated this trend, observing that institutional clients are already demanding detailed disclosures on how custody providers segregate assets, manage access controls, and maintain business continuity during periods of market stress. The regulatory signal is unambiguous: oversight is intensifying regarding the operational standards behind digital asset services, independent of whether firms hold a license.
Woofun AI data shows that the distinction between obtaining MiCA authorization and demonstrating operational resilience is becoming a critical competitive differentiator. Markus Levin, co-founder of blockchain infrastructure company XYO, described these as two distinct tests, suggesting that CASPs capable of proving robust controls before the completion of the regulatory review will secure a significant advantage as institutional adoption accelerates. This competitive pressure is compounded by the complex regulatory overlap between MiCA and the Digital Operational Resilience Act (DORA). Yuriy Brisov, a lawyer at Digital & Analogue Partners, explained that the review operates under both frameworks simultaneously: MiCA establishes custody obligations, while DORA sets technology risk requirements for financial firms. The concentration of custody technology among a handful of vendors creates systemic vulnerabilities, where a single weak supplier can impact multiple firms at once. Proving resilience across this concentrated supply chain, while satisfying both MiCA and DORA, represents the most significant challenge for CASPs.
The implications of this supervisory action extend beyond immediate compliance, potentially setting a benchmark for future EU crypto supervision. Yuriy Brisov noted that the findings from the CSA will directly influence two live regulatory debates: the ongoing review of MiCA and the proposal to centralize the supervision of all CASPs from national regulators to ESMA. This centralization trend suggests a move toward a more unified and stringent oversight model, reducing regulatory fragmentation across member states. As the EU refines its approach, the ability of CASPs to demonstrate operational resilience will likely become a prerequisite for market access, rather than a post-licensing formality. The scrutiny applied by ESMA serves as a precursor to what may become a standardized expectation for all crypto custodians operating within the jurisdiction.
Ultimately, the launch of the Common Supervisory Action signifies a new era for crypto custodians in Europe, where operational resilience is paramount. The transition from licensing to continuous operational verification demands that CASPs invest heavily in robust security frameworks and transparent reporting mechanisms. As institutional capital continues to flow into digital assets, the demand for proven, resilient custody solutions will only intensify. Regulatory bodies like ESMA are clearly signaling that compliance is not a static achievement but a dynamic process requiring constant vigilance and adaptation. This marks a fundamental shift in the industry, where the burden of proof lies squarely on the custodians to demonstrate their capability to protect assets in an increasingly complex threat landscape.