ESMA Launches EU-Wide Review on Crypto Custody Practices

By Patricia Miller

3 min read

The European Securities and Markets Authority begins a significant review of how crypto custody providers handle client assets, ensuring compliance.

#What is the European Securities and Markets Authority's Focus?

The European Securities and Markets Authority has initiated a comprehensive examination concerning how crypto custody providers manage client assets. This marks the first joint supervisory review under the Markets in Crypto-Assets Regulation, commonly known as MiCA. This action indicates a shift in Europe’s regulatory landscape from merely establishing rules to actively enforcing them.

The review specifically targets authorized Crypto-Asset Service Providers, often referred to as CASPs. It emphasizes critical areas such as operational resilience, the segregation of client funds, and adherence to MiCA’s custody requirements.

#What Guidelines are Under Scrutiny?

The review is centered on Article 75 of MiCA, which outlines how client crypto assets should be protected. For custodians holding other people’s digital currencies, such as Bitcoin or ether, there are strict requirements. They must keep customer assets separate, enforce strong risk management practices, and demonstrate their ability to handle operational disruptions without jeopardizing client funds.

This review is not focused on any particular company or digital token. Instead, it serves as a broad thematic overview, aimed at assessing the overall landscape of crypto custodians. Importantly, no specific CASPs or protocols have faced public scrutiny. The objective is to ensure uniform standards across the board, meaning that custodians in various EU countries should meet the same regulatory benchmarks.

#How is ESMA Collaborating with National Authorities?

ESMA is collaborating with national regulatory bodies across the EU to coordinate this initiative. This joint framework represents a significant advance from ESMA’s previous endeavors, which were more about providing guidelines on authorization and assisting regulators in understanding MiCA’s operational implications.

One critical detail of this review is the prohibition against unauthorized CASPs outsourcing custody duties to unlicensed third parties. This measure aims to eliminate potential loopholes where companies without proper authorization might transfer client assets to other non-compliant providers.

#What is the Impending Deadline for Compliance?

It is essential for unauthorized crypto service providers in Europe to remain aware of the looming deadline that could disrupt their operations. The transitional period for MiCA concludes on July 1, 2026. After this date, CASPs operating without the necessary authorization must cease offering services to clients in the EU. The only permitted activity for unauthorized providers will be orderly wind-downs of existing client positions, prohibiting any onboarding of new customers or expansion of services.

ESMA has already established the groundwork for this critical moment. Throughout MiCA's rollout, the authority issued guidelines and clarifications regarding CASP authorizations, including updated custody guidance released as recently as July 2025. This current review shifts the focus from rule formulation to active compliance verification.

#How Does This Affect Crypto Investors and the Industry?

For individuals holding cryptocurrencies through European custodians, this review has significant implications. The collapse of FTX in 2022 highlighted the dangers of inadequate client asset segregation. MiCA’s custody regulations are structured to prevent such incidents in Europe, and ESMA is taking steps to ensure compliance.

The absence of distinctly targeted companies within the review is notable for two reasons. First, ESMA is not engaged in pinpointing isolated offenders. Instead, it is strengthening its supervisory capabilities to monitor the entire industry. This should come as a reassurance for crypto firms that operate transparently. However, for parties that engage in non-compliant practices, the message is clear: there will be no refuge in the EU, especially with the July deadline approaching.

Important Notice And Disclaimer

This article does not provide any financial advice and is not a recommendation to deal in any securities or product. Investments may fall in value and an investor may lose some or all of their investment. Past performance is not an indicator of future performance.