Immediately following the full closure of the MiCA transition period, ESMA launched a joint audit action targeting crypto custody service providers, a concrete sign that Europe's crypto regulation is moving from the licensing phase to the actual audit phase.



This Joint Audit Action was announced on July 8th and will run from the second half of 2026 to the first half of 2027, with the final report compiling the findings to be submitted to ESMA's Board of Supervisors in the second half of 2027. This is a truly lengthy process, not a snapshot, but a review spanning months.

The audit will not be conducted by ESMA itself, but by each member state's national regulatory authority, such as BaFin in Germany, AMF in France, and CNMV in Spain. Each national authority will select a risk-based sample of licensed firms within its region to conduct the audit; that is, not every firm will be examined, but those with the largest volume, cross-border operations, or the largest customer assets will be prioritized.

The areas covered by the review are quite technical and in-depth, primarily focusing on private key generation and custody management, transaction authorization controls, incident detection and response processes, smart contract risks, and reliance on third-party technology providers. This last point is particularly important because many custody service providers rely on external technology partners for their core infrastructure, creating a weakness that could otherwise fall outside the scope of the regulatory review. ESMA aims to close this gap by directly including it.

The timing is no coincidence; the MiCA transition period officially closed on July 1st, and the number of registered providers increased from 243 to 280, largely driven by new licensees such as Standard Chartered, FalconX, and Sygnum Europe. Cyprus was also the country with the most licenses, with six new approvals. Just two days before this audit, Ripple also received full CASP authorization from Luxembourg's CSSF, allowing the company to operate throughout the entire thirty-country European Economic Area. Spain's CNMV has unequivocally stated that no extensions will be granted for unlicensed platforms.

The real significance of this oversight lies in the fact that having a license is now seen as a floor, not a ceiling. ESMA wants to test whether firms truly possess operational resilience, not just appear compliant on paper. Much of Europe's crypto custody infrastructure is built on a limited number of infrastructure providers—cloud infrastructure, hardware security modules, or private key management firms. If national regulators find the same third-party provider problematic across multiple firms, this could lead to a costly infrastructure migration across the entire market—a systemic risk precisely that Europe's parallel digital operational resilience law, DORA, aims to prevent.

For those following crypto custody services or MiCA-licensed platforms in Europe via Gate, the crucial point is that the results of this audit will provide a tangible indicator of the security of user assets, and how strictly national authorities enforce this audit will determine how different the audit standards will be for a company licensed in one member state compared to another. This will be the first concrete test of whether MiCA can truly create a unified audit standard.
post-image
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 4
  • Repost
  • Share
Comment
Add a comment
Add a comment
Venüs_
· 3h ago
LFG 🔥
Reply0
Venüs_
· 3h ago
To The Moon 🌕
Reply0
Venüs_
· 3h ago
2026 GOGOGO 👊
Reply0
HighAmbition
· 3h ago
good information about crypto market
Reply0
  • Pinned