Large-Scale Review of Crypto Custody Systems Launched Across Europe

The European Securities and Markets Authority (ESMA) announced the launch of an EU-wide supervisory review of the digital operational resilience of Crypto-Asset Service Providers (CASPs) offering custody services.
ESMA launched a Common Supervisory Action (CSA), under which national regulators will assess how effectively authorized CASPs ensure digital operational resilience when safeguarding client assets.
The review will cover a risk-based sample of CASPs. It will focus on the maturity of internal digital risk management frameworks supporting custody services. In particular, regulators will assess:
- corporate governance frameworks;
- cryptographic key management and asset storage infrastructure;
- transaction controls;
- incident detection and response mechanisms;
- smart contract risks;
- companies’ reliance on third-party technology and service providers.
The initiative will run from the second half of 2026 through the first half of 2027.
According to ESMA, the review reflects its current risk-based supervisory priorities, which identify digital operational resilience and Crypto-Asset Service Providers as key supervisory focus areas. The regulator expects a harmonized supervisory approach to strengthen supervisory convergence across the rapidly evolving digital asset sector.
Once the review is completed, national competent authorities will submit their findings to ESMA. The regulator will then consolidate the results into a final report, which is scheduled to be presented to ESMA’s Board of Supervisors in the second half of 2027.
In April 2026, ESMA’s mandate was expanded, giving the authority direct supervisory powers over CASPs and large cross-border market participants.
