ESMA launches first coordinated crypto custody review under MiCA
Europe's top securities regulator is stress-testing how crypto firms safeguard client assets, and the clock is ticking for unauthorized providers
The European Securities and Markets Authority has kicked off something the crypto industry has been bracing for: a coordinated, EU-wide examination of how crypto custody providers actually handle client assets. It’s the first joint supervisory review of its kind under the Markets in Crypto-Assets Regulation, better known as MiCA, and it signals that Europe’s regulatory apparatus is moving from rulemaking into enforcement mode.
The review targets authorized Crypto-Asset Service Providers, or CASPs, and zeroes in on operational resilience, the segregation of client funds, and compliance with MiCA’s specific custody requirements.
What ESMA is actually looking at
The review is built around MiCA’s Article 75, which lays out the rules for safeguarding client crypto assets. If you’re holding someone else’s Bitcoin or ether in Europe, you need to keep their stuff separate from yours, maintain robust risk management practices, and prove you can survive operational disruptions without losing client funds.
This isn’t a targeted investigation into any specific company or token. ESMA has designed this as a broad thematic review, meaning the regulator is assessing the entire landscape rather than going after individual bad actors. No specific CASPs or protocols have been named. The goal is supervisory convergence — a bureaucratic way of saying that a crypto custodian in Estonia should be held to the same standards as one in France.
ESMA is coordinating the effort with national competent authorities across the EU. The joint approach represents a meaningful escalation from ESMA’s earlier work, which focused more on authorization guidelines and Q&A documents for national regulators trying to figure out how MiCA works in practice.
One detail worth flagging: unauthorized CASPs are explicitly barred from outsourcing custody obligations to other unlicensed entities. That closes a potential loophole where a company without proper authorization might try to park client assets with another unauthorized provider and claim compliance by proxy.
The July 2026 deadline looms large
The backdrop to this review is a hard deadline that should have every unauthorized crypto service provider in Europe sweating. MiCA’s transitional period ends on July 1, 2026. After that date, any CASP operating without proper authorization must stop providing services to EU clients entirely.
The only exception is for orderly wind-downs. Unauthorized providers can continue custody operations solely to help existing clients exit their positions, not to onboard new ones or expand their business.
ESMA had already laid groundwork for this moment. The authority issued guidelines and clarifications regarding CASP authorizations throughout the MiCA rollout, including updated guidance on custody published as recently as July 2025. The current review builds on that foundation, shifting from “here’s how the rules work” to “let’s check if you’re actually following them.”
What this means for investors and the competitive landscape
For anyone holding crypto through a European custodian, this review matters more than it might appear at first glance. The FTX collapse in 2022 demonstrated what happens when client asset segregation exists on paper but not in practice. MiCA’s custody rules are specifically designed to prevent that scenario in Europe, and ESMA is now actively verifying compliance rather than just publishing rulebooks.
The absence of named targets in this review is itself telling. ESMA isn’t playing whack-a-mole with individual offenders. Instead, it’s building the supervisory muscle to monitor an entire sector simultaneously. For crypto firms operating in good faith, that should feel like validation. For those cutting corners, the message is less comforting: there’s nowhere in the EU to hide, and the clock runs out in less than a year.