regulation
ESMA launches first MiCA-era supervisory action, targeting CASP custody resilience
ESMA announced a Common Supervisory Action on July 8 covering the digital operational resilience of authorised CASPs' custody services. NCAs run the risk-based reviews from H2 2026 to H1 2027.
ESMA — the European Securities and Markets Authority — announced on July 8, 2026 a Common Supervisory Action (CSA) covering the digital operational resilience of authorised crypto-asset service providers, with custody services as the scoped surface. The ESMA press release frames the CSA as a coordinated exercise with National Competent Authorities (NCAs) — the AMF in France, BaFin in Germany, the CSSF in Luxembourg, and their peers — who will inspect a risk-based sample of the roughly 280 authorised CASPs now on the MiCA register. The exercise runs from H2 2026 to H1 2027; a consolidated report goes to ESMA's Board of Supervisors in the second half of 2027. Cross-reporting: The Block, Cryptonomist, FinanceFeeds, Cryptotimes, Global Regulation Tomorrow.
This is the first substantial supervisory push under the fully-in-force MiCA regime — the transitional period ended July 1 — and the first time NCAs will jointly test whether the operational controls implied by a CASP licence exist in practice.
What the CSA covers
The CSA "assesses the maturity of CASPs' digital operational resilience frameworks in relation to custody activities." The scope is drawn against risks inherent to distributed ledger technology, and the release enumerates them:
- Governance arrangements — board-level oversight of the custody function, delegated authority, incident escalation.
- Key and storage management — hot/warm/cold segmentation, signing procedure, HSM policy, backup and recovery.
- Transaction controls — pre- and post-signing checks, address allow-listing, withdrawal thresholds and delays.
- Incident detection and response — telemetry, on-call, playbooks, disclosure obligations under MiCA and DORA.
- Smart contract risks — for CASPs whose custody model touches on-chain vaults or multisigs, the exposure introduced by the contract itself.
- Third-party dependencies — sub-custodians, oracle providers, cloud, wallet-infrastructure vendors.
Two things are notable in that enumeration. First, "smart contract risks" appears as a first-class item in a securities regulator's supervisory action — the CSA treats on-chain custody as a category the NCAs will inspect, not a technicality. Second, the DORA fingerprint is visible throughout: the Digital Operational Resilience Act has been in force for other financial firms since January 17, 2025, and its incident-classification and ICT-third-party-risk requirements map cleanly onto MiCA's Title V custody obligations.
Numbers
- CSA announcement date : July 8, 2026
- Exercise window : H2 2026 → H1 2027
- Consolidated report : H2 2027 (to ESMA Board of Supervisors)
- Authorised CASPs on register: ~280
- MiCA transitional period : ended July 1, 2026
- Legal frame : MiCA + DORA
- Sample basis : risk-based (NCAs choose)
- Article authority : ESMA regulation art. 29a (peer reviews)
Figures per the ESMA release and MiCA CASP register (state 2026-07).
Who runs the inspections
The CSA is coordinated by ESMA but executed by NCAs on their own authorised populations. Concretely:
- The AMF and ACPR cover the French population of MiCA CASPs — a set that grew sharply after the July 1 non-authorised platform cut-off forced the tail of unlicensed providers off the French market.
- The BaFin covers the German CASPs, which includes the largest cluster of licensed custodians in the EU by number of firms.
- The CSSF in Luxembourg supervises Ripple's fresh full CASP licence and Circle's European issuance stack, among others.
- The Central Bank of Ireland supervises Coinbase's European hub.
- The CNMV in Spain has a smaller but growing licensed set.
That distribution matters: the CSA outputs a report per NCA, and ESMA consolidates. Any divergence between how, say, the CSSF reads "adequate key management" and how BaFin reads it will surface in the consolidated document — and that divergence is the operational shape of MiCA enforcement in year one.
Why now — the triggers behind the CSA
Three background facts frame ESMA's timing.
AscendEX collapsed in late June. The exchange's parent had held a MiCA-adjacent authorisation and its withdrawal stall through the transitional period was the first live stress test of European CASP resilience under the new regime. BeInCrypto's read explicitly connects that episode to the CSA scope — custody firms failing operationally on live European client funds is precisely the failure mode a resilience CSA is built to detect before, not after.
The MiCA transitional period ended July 1. From that day forward, the register is the market. ESMA has both the authority and the reputational obligation to test whether the operational side of the licences it just permitted matches the paper.
DORA is now the baseline for every other regulated financial firm. Aligning CASPs to the same operational-resilience floor removes the arbitrage argument that MiCA is "lighter" than the traditional-finance regime.
Impact
- Licensed CASPs — every one on the register is CSA-eligible. The sample is risk-based, so scale, complexity, and prior incident history are the load-bearing selection variables. Firms with hot-wallet-dominant custody, complex on-chain vault architectures, or sub-custodian chains should assume they are candidates.
- Sub-custodians and infrastructure vendors — the third-party-dependency arm of the CSA maps to DORA's ICT third-party register concept. Sub-custodians without a MiCA authorisation of their own can still be inspected by proxy, through their CASP client's records.
- Post-mortem quality — after a public incident, ESMA and the NCAs now have a supervisory framework that expects a specific documentation trail. Post-mortems written to that shape (root cause, control gap, remediation timeline, disclosure) get easier treatment than free-form statements.
- Insurance underwriting — cyber and crime policies for European CASPs will re-price against the CSA's public findings when the H2 2027 report lands.
What to watch
- The NCA sample composition. ESMA will not publish which firms are in-scope, but AMF and BaFin communications over the summer will telegraph priorities: MiCA CASPs with on-chain vault architectures, those with complex sub-custody chains, and those flagged in the transition-period reporting are the natural first targets.
- The first CSA-driven public statement. If an NCA issues a supervisory letter or a public thematic finding before H2 2027, it means an inspection surfaced a gap material enough to communicate mid-cycle.
- The DORA overlap resolution. Some CASPs are also regulated financial firms under other regimes (banks with a crypto arm, MiFID firms with a CASP notification). The interaction between the DORA compliance track and the CSA custody track is unresolved; the first firm to be inspected under both simultaneously will define the pattern.
- AscendEX's post-mortem. ZachXBT flagged the withdrawal stall in early July. A public post-mortem or regulatory finding on that specific incident during the CSA window would be the empirical anchor for the exercise.
Context — MiCA year one moves from licensing to inspection
The July 1 transition cut-off was the visible half of MiCA year one. The CSA is the operational half. Under the peer-review authority granted to ESMA in its founding regulation, the CSA format has been used repeatedly in other domains — MiFID product governance, UCITS liquidity, prospectus disclosure — and the pattern is consistent: a scoped exercise, a risk-based sample, an aggregated report a year later, and thematic supervisory statements as follow-up. Crypto custody is now on that same treadmill.
A subtle detail worth noting: the CSA does not target stablecoin issuers under MiCA's Title III (ARTs and EMTs), which are already under a bespoke Title III supervisory arrangement co-led by the EBA. The July 8 exercise is Title V — CASPs providing custody as a regulated service — and that scoping keeps the exercise legally clean at the cost of leaving one of the largest operational-resilience surfaces in European crypto (issuance and reserve custody for USDC- and EURC-class instruments) outside the July 8 announcement.
What other outlets missed
Most coverage frames the CSA as an "ESMA custody review." That reading misses the DORA alignment, which is the operative regulatory move. The list of scoped risks is a straight lift of DORA's Chapter III ICT risk-management categories, re-cast for on-chain infrastructure. What ESMA is doing on July 8 is not adding a new inspection regime — it is importing DORA's operational-resilience floor into MiCA custody and using the CSA machinery to test it. Reading the CSA any other way misses that the H2 2027 consolidated report will read as a MiCA/DORA reconciliation document, not as a bespoke crypto-custody paper.