MiCA licensing scrutinised: ESMA tests custodians’ operational resilience
MiCA licensing is only the start for crypto custodians. After MiCA’s transitional period ended, the EU regulator ESMA launched a Common Supervisory Action (CSA) to review the operational resilience of crypto asset service providers (CASPs), with custody services at the center of the test.
ESMA will assess a sample of MiCA-authorized CASPs and focus on whether their custody controls can withstand real-world risks. The review covers key and storage management, transaction controls, incident response, and dependencies on third-party providers. ESMA’s aim is to move from “asserting security” to “evidencing it.”
Industry executives said institutional clients are already asking for deeper proof on asset segregation, access controls, business continuity, and incident handling during market stress. BitGo’s Jody Mettler noted regulators are looking beyond whether firms are licensed, toward the operational standards behind digital asset services. Taurus co-founder Sebastien Dessimoz similarly argued that MiCA licensing is the start line rather than the finish.
Legal analysis highlights overlap with the Digital Operational Resilience Act (DORA). Because custody technology is concentrated among a small number of vendors, one weak supplier could affect many firms. The outcome could influence how regulators benchmark MiCA-authorized custodians and shape EU debates on whether supervision should become more centralized under ESMA.
Overall, MiCA licensing will be increasingly paired with evidence-based resilience requirements, likely raising compliance costs while improving risk transparency.
Neutral
This is likely neutral-to-slightly positive for market quality but not a direct catalyst for price. MiCA licensing is being paired with evidence-based operational resilience checks via ESMA’s CSA, which can reduce tail-risk from weak custody controls. Traders may react via incremental sentiment shifts—especially for custodians’ compliance readiness—rather than immediate moves in BTC/ETH.
In the short term, the announcement can increase perceived regulatory overhead and raise uncertainty for CASPs that are still tightening incident response, segregation, and third-party dependency controls. That can pressure risk appetite around custody-related equities/partners, but the article doesn’t cite any enforcement actions or failures, so broad crypto liquidation risk appears limited.
In the long term, stronger operational resilience standards could resemble prior regulatory “process maturity” phases seen in other jurisdictions—where compliance moves from document-based licensing to ongoing operational testing. That tends to favor institutions with stronger controls and vendor risk management, potentially improving trust and supporting steady inflows. However, if vendors are concentrated, costs to remediate supply-chain weaknesses could take time, keeping volatility elevated during implementation.
Overall, the news affects infrastructure and risk management expectations more than it changes core crypto demand drivers, so the likely market impact is neutral.