
Europe's top securities regulator is stress-testing how crypto firms safeguard client assets. Unauthorized providers face a July 2026 deadline to stop serving EU clients or exit.
The European Securities and Markets Authority has kicked off an EU-wide examination of how crypto custody providers handle client assets. It is the first coordinated supervisory review under the Markets in Crypto-Assets Regulation, known as MiCA, and it shifts the regulatory focus from rulemaking to active compliance checks.
The review targets authorized Crypto-Asset Service Providers, or CASPs. It centers on segregation of client funds and risk management. The regulator is assessing compliance with MiCA's Article 75, which requires firms to keep client Bitcoin, ether, and other crypto assets separate from their own holdings and to prove they can survive operational disruptions without losing client money.
No specific CASPs or protocols have been named. ESMA designed this as a broad thematic review, meaning the regulator is evaluating the entire sector rather than picking off individual bad actors. The goal is supervisory convergence – a bureaucratic term for ensuring that a crypto custodian in Estonia faces the same standards as one in France.
The July 2026 Deadline
MiCA's transitional period ends July 1, 2026. After that date, any CASP operating without proper authorization must stop providing services to EU clients. The only exception is for orderly wind-downs, where unauthorized providers can maintain custody solely to help existing clients exit their positions. No new onboarding is allowed.
ESMA has also closed a potential loophole. Unauthorized CASPs are explicitly barred from outsourcing custody obligations to other unlicensed entities. A firm without authorization cannot park client assets with another unauthorized provider and claim compliance by proxy.
For anyone holding crypto through a European custodian, this review matters. The FTX collapse in 2022 showed what happens when client asset segregation exists on paper but not in practice. MiCA's custody rules are designed to prevent that scenario, and ESMA is now actively verifying compliance rather than just publishing rulebooks.
The review builds on guidance ESMA issued throughout the MiCA rollout, including updated custody guidance published as recently as July 2025. The shift is from "here is how the rules work" to "let us check if you are following them."
What this means for crypto traders
Counterparty risk from EU custodians is now under direct regulatory scrutiny. For firms that hold MiCA authorization and maintain transparent asset segregation, the review should feel like validation. For those cutting corners, the message is less comfortable: there is nowhere in the EU to hide, and the clock runs out in less than a year.
The absence of named targets in this review is itself a signal. ESMA is not playing whack-a-mole with individual offenders. It is building the supervisory muscle to monitor an entire sector simultaneously. The July 1, 2026 deadline means unauthorized providers have less than a year to decide between authorization and exit.
For a broader look at how regulation is shaping crypto markets, see our crypto market analysis.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.