Europe's Markets in Crypto-Assets Regulation (MiCA) has handed custodians a license to operate across the EU, but regulators are now scrutinizing whether firms can actually meet the underlying security and resilience demands.

The European Securities and Markets Authority (ESMA) is conducting a review that goes beyond paperwork compliance. Custodians must demonstrate robust operational infrastructure, segregated asset storage, and protection against systemic failures. This isn't just regulatory theater. The standards require custodians to maintain real-time settlement capabilities, custody segregation that withstands bankruptcy proceedings, and technical controls that prevent unauthorized access to private keys or funds.

MiCA licensing represents the first step in a two-phase process. Obtaining a license signals regulatory approval, but ESMA's ongoing assessment will determine whether custodians have the actual operational backbone to justify that approval. The distinction matters: many firms can satisfy paperwork requirements without possessing genuinely secure infrastructure.

The scrutiny reflects lessons from past crypto failures. When centralized platforms collapsed, customer assets were often intermingled, uninsured, or inaccessible. MiCA's custody rules require physical or cryptographic segregation that prevents commingling. Custodians must also maintain insurance coverage and implement recovery procedures for catastrophic scenarios.

For established players like Fidelity, Coinbase Custody, and traditional banks entering the space, meeting these standards represents substantial capital expenditure. Smaller custodians face a different problem: scaling compliance infrastructure economically. Some will struggle to achieve ESMA's security benchmarks without consolidating operations or exiting the market.

The regulatory framework also imposes ongoing monitoring obligations. Custodians must report on cybersecurity incidents, key management practices, and operational incidents that could affect customer funds. This creates a permanent compliance burden that extends far beyond initial licensing.

Timing adds urg