ESMA launches Common Supervisory Action on CASPs' custody digital operational resilience
National Competent Authorities must assess authorised CASPs' custody digital resilience on a risk-based sample, producing findings for ESMA's consolidated supervisory report
- — National Competent Authorities must select and assess a risk-based sample of authorised CASPs' custody digital operational-resilience frameworks between H2 2026 and H1 2027 and report findings to ESMA — assessments not completed within the exercise window cannot contribute to ESMA's consolidated CSA report.
- — Authorised CASPs providing custody services that fall into an NCA's risk-based sample must be able to evidence DLT governance, key and storage management, transaction controls, incident detection and response, smart contract risk management and third-party dependency controls during the exercise period — gaps in demonstrable controls will be recorded in NCA findings and feed ESMA's convergence report.
- — National Competent Authorities conducting the CSA assessments
- — Authorised CASPs providing custody services in the EU
- — H2 2026 to H1 2027 — NCAs conduct the CSA assessment of sampled CASPs' custody digital operational resilience.
- — H2 2027 — ESMA consolidates NCA findings into a final report submitted to its Board of Supervisors following conclusion of the exercise.