The European Securities and Markets Authority (ESMA) on Wednesday launched a Common Supervisory Action (CSA) targeting the digital operational resilience of authorised Crypto-Asset Service Providers, with custody services as the focal point.

National Competent Authorities will conduct the exercise on a risk-based sample of authorised CASPs across the EU. The review is scheduled to run from the second half of 2026 through the first half of 2027.

The CSA will assess the maturity of firms’ custody resilience frameworks across several control areas: governance arrangements, key and storage management, transaction controls, incident detection and response, smart contract risks, and reliance on third-party providers.

The sweep arrives as ESMA and the wider European supervisory system step up DORA-related oversight in 2026, the first full year of the digital resilience regulation’s application. ESMA has previously flagged third-party dependence and ICT architecture as pressure points in CASP supervision.

ESMA said it will consolidate national findings into a final report for its Board of Supervisors in H2 2027.