Skip to main content
DORA Auditor

news

ESMA targets crypto custody resilience in new EU-wide supervisory review

ESMA's new Common Supervisory Action tests how crypto-asset service providers apply DORA's ICT-risk and third-party rules to custody operations, from key management to exit strategy.

DORA Auditor Editorial Team·Published

On 8 July 2026, ESMA launched a Common Supervisory Action (CSA) directing national competent authorities to review the digital operational resilience of crypto-asset service providers' custody operations across the EU. The exercise runs from the second half of 2026 into the first half of 2027 and tests, in practice, how CASPs are applying DORA's third-party and ICT-risk requirements to the systems that hold client crypto-assets.

What the CSA covers

A Common Supervisory Action is ESMA's mechanism for getting national regulators to examine the same risk area, using the same methodology, at the same time. For this round, competent authorities will assess a risk-based sample of authorised CASPs against:

  • governance arrangements for custody operations,
  • key and storage management for distributed-ledger assets,
  • transaction controls and smart-contract risk,
  • incident detection and response, and
  • dependencies on ICT third-party providers supporting custody.

Findings from each national authority feed into a consolidated ESMA report, expected in the second half of 2027.

Why custody, and why now

Custody is where a CASP's DORA obligations and its MiCA authorisation overlap most directly: a failure in key management or storage does not just breach ICT risk-management expectations, it can mean an irreversible loss of client assets. With MiCA authorisation now fully in force across the EU and the first cohort of CASPs a year or more into DORA application, ESMA is moving from rule-publication to active supervision, using a coordinated review rather than isolated national inspections. Our DORA vs MiCA comparison covers where the two regimes overlap and where they diverge in more detail.

What CASPs should do now

Firms in scope do not need to wait for a supervisory letter to start preparing:

  • Map custody-specific ICT dependencies. Wallet infrastructure, key-management providers, and custody sub-processors belong in your register of information under Article 28, with sub-outsourcing chains documented, not just direct contracts.
  • Pressure-test key-management controls. Document who can authorise a transaction, how keys are generated, stored, and rotated, and what happens if a key-management provider is unavailable.
  • Revisit your incident playbook for custody events. A custody incident, a stuck withdrawal, a compromised signing device, a smart-contract exploit, should map cleanly onto DORA's major-incident classification and reporting timeline under Article 18.
  • Check exit strategies for custody providers. Article 29 expects a documented concentration and exit analysis for any provider supporting a critical or important function, and custody usually qualifies.

Our TPP register generator builds a first-draft register in the EBA structure, and the DORA Readiness Score benchmarks third-party-risk maturity alongside the other four pillars.

Sources

Last updated: 11 July 2026.

#news#crypto-asset-service-providers#third-party-risk#mica

More from the blog