The European Securities and Markets Authority (ESMA) has fired the starting gun on a coordinated, bloc-wide stress test of crypto-asset service providers (CASPs), moving EU supervision from licensing checks to live operational resilience audits. The Common Supervisory Action (CSA), announced on 8 July, tasks national regulators with inspecting a risk-based sample of authorised custodians, exchanges, and token platforms to measure how mature their controls really are now that the Markets in Crypto-Assets (MiCA) regulation has entered full force.
The exercise – which runs from the second half of 2026 through the first half of 2027, with a consolidated report expected later that year – targets the custody stack, the most sensitive layer of any crypto business. ESMA’s checklist drills into key management (how private keys are generated, stored, and used); storage architecture (the split between cold and hot wallets); transaction controls (approval workflows, multi‑signature rules, and suspicious‑transfer safeguards); governance (board oversight and independence of risk functions); incident detection and response (breach containment, real‑time blocking, and regulatory notification); smart‑contract risks (auditing on‑chain code used for staking, bridging, or DeFi integrations); and third‑party dependencies (concentration on a handful of cloud, HSM, and key‑management vendors).
The backdrop is the MiCA transition deadline of 1 July 2026, after which only fully authorised providers could operate. ESMA’s interim register has already climbed to 280 authorised firms, with recent additions including Standard Chartered, FalconX, and Sygnum Europe, and Ripple securing full CASP authorisation from Luxembourg’s CSSF just days earlier. However, the CSA makes clear that a licence is now the floor, not the ceiling. Under the parallel Digital Operational Resilience Act (DORA), crypto service providers are treated as financial entities and must prove their IT infrastructure can survive cyberattacks, outages, and supplier failures – and the CSA is the first synchronised test of how well those two frameworks are being implemented at the coalface of client asset protection.
National competent authorities (NCAs) such as Germany’s BaFin, France’s AMF, and Spain’s CNMV will each select a risk‑based sample of firms, concentrating on larger custodians, cross‑border operators, and those handling the most client assets. While the reviews are intended to promote supervisory convergence, there is concern that asymmetric enforcement could emerge – a firm licensed in one member state may face a far more aggressive inspection than a competitor in another. More worryingly, the exercise may expose deep concentration risk: much of European crypto custody infrastructure relies on a small set of underlying providers, and a finding that a single third party is a systemic weak link could force costly, market‑wide migrations. For firms that have built mature, well‑documented controls, the CSA offers an opportunity to demonstrate their resilience. For others, it could trigger expensive upgrades to systems, governance, or third‑party relationships ahead of the 2027 report. In either case, the message is unequivocal: the rulebook era is over, and enforcement has begun.