Getting licensed under the European Union’s Markets in Crypto-Assets Regulation (MiCA) framework is only the beginning for crypto custodians, as regulators turn their attention from authorization to operational resilience.
The European Securities and Markets Authority (ESMA) on Wednesday launched a Common Supervisory Action (CSA) to examine the operational resilience of crypto asset service providers (CASPs), placing custody services at the center of the review.
“The signal is quite clear: for custodians, a licence is the start line, not the finish,” Sebastien Dessimoz, co-founder and managing partner at digital asset infrastructure firm Taurus, told Cointelegraph.
The review comes shortly after MiCA’s transitional period expired, marking one of the first major supervisory exercises under the EU’s new crypto framework.
From claiming security to proving it
The ESMA told Cointelegraph that the CSA will apply to a sample of authorized CASPs under MiCA. The review will assess the maturity of CASPs’ digital operational resilience frameworks for custody activities, focusing on risks including key and storage management, transaction controls, incident response and dependencies on third-party providers.
According to industry executives, the action marks a significant shift in Europe’s crypto market, where custody providers are increasingly expected to demonstrate, not simply claim, that their operational controls can withstand real-world risks.
“The shift I expect is from asserting security to evidencing it,” Dessimoz said. “This is a healthy development,” he noted, adding that digital assets are moving deeper into regulated financial infrastructure, and that requires the same security, accountability and resilience institutions expect in traditional markets.
Related: StanChart features in ESMA’s first MiCA register update since deadline
Jody Mettler, chief operating officer of BitGo and president of BitGo Trust, told Cointelegraph that institutional clients have already been asking more detailed questions about how custody providers segregate assets, manage access controls, respond to incidents and maintain business continuity during periods of market stress.
“The signal is that regulators are looking more closely at the operational standards behind digital asset services, not just whether firms are licensed,” she added.
Markus Levin, co-founder of blockchain infrastructure company XYO, said obtaining a MiCA authorization and demonstrating operational resilience are “two different tests,” adding that CASPs able to prove robust controls before regulators complete their review could gain an advantage as institutional adoption grows.
MiCA meets DORA and the debate over centralized crypto supervision
Yuriy Brisov, a lawyer at Digital & Analogue Partners, said the review sits under two EU regulatory frameworks at once: the MiCA framework, which establishes custody obligations, and the Digital Operational Resilience Act (DORA), which sets technology risk requirements for financial firms.
“Custody technology is concentrated in a handful of vendors, so one weak supplier can hit many firms at once,” the lawyer said, adding: “Proving resilience across that supply chain, under MiCA and DORA simultaneously, is the real challenge for CASPs.”

Source: Digital Operational Resilience Act
According to Brisov, the review could set a benchmark for how regulators assess MiCA-authorized custodians and influence discussions around a more centralized approach to crypto supervision in the EU.
“The findings will feed into two live debates: the review of MiCA and the proposal to move supervision of all CASPs from national regulators to ESMA,” he said.
Magazine: The biggest blockchain upgrades still to come in 2026
