European Banking Authority Proposes Strict Capital Requirements for Crypto-Custody Services Under MiCA Framework

The European Banking Authority (EBA) is advancing a new set of prudential requirements for financial institutions offering cryptocurrency custody services, marking the next phase of implementation for the landmark Markets in Crypto-Assets (MiCA) regulation. The proposed guidelines, released for public consultation this week, would impose capital adequacy ratios and operational resilience standards on banks and authorized custodians holding digital assets on behalf of clients.

TL;DR

• EBA proposes capital adequacy requirements for crypto custody providers under MiCA
• Institutions must maintain minimum capital buffers proportional to digital asset holdings
• New operational resilience standards mandate cold storage thresholds and disaster recovery protocols
• Consultation period runs through February 2026 with implementation expected by mid-2026
• The rules apply to all EU-licensed custody providers including traditional banks entering the crypto space

The proposal emerges from the EBA’s mandate under MiCA to develop technical standards for crypto-asset service providers (CASPs) that engage in custody and administration of digital assets on behalf of third parties. While MiCA established the foundational regulatory framework for crypto-assets across the European Union, the implementation of detailed prudential requirements has been delegated to specialized regulatory bodies, with the EBA taking the lead on custody-related matters given the intersection with traditional banking supervision.

Capital Adequacy Framework

Under the proposed standards, custody providers would be required to maintain capital reserves equivalent to at least 3% of the total value of digital assets under custody, calculated on a rolling quarterly average basis. This threshold represents a middle ground between the 1% ratio advocated by industry groups and the 5% standard that some conservative regulators had pushed for during preliminary discussions.

For institutions that also engage in proprietary trading of crypto-assets, the capital requirements would increase to 5% of holdings, reflecting the additional risk exposure associated with market-making activities. The EBA has indicated that these ratios may be adjusted upward for institutions holding significant concentrations of volatile or illiquid tokens, with specific risk weightings to be determined through supplementary technical guidance.

The capital framework also introduces a novel “technological risk premium” that adds 0.5% to capital requirements for custody providers that have not achieved ISO 27001 certification or an equivalent information security standard. This provision reflects the EBA’s recognition that crypto custody carries unique operational risks that differ fundamentally from traditional securities custody.

Operational Resilience Standards

Beyond capital requirements, the EBA proposal establishes detailed operational standards that go considerably further than MiCA’s baseline requirements. Custody providers would be required to maintain at least 80% of client assets in cold storage at all times, with real-time reporting obligations to demonstrate compliance. The remaining 20% held in hot wallets would be subject to insurance requirements, with minimum coverage levels pegged to the value of assets in active circulation.

The proposal also mandates comprehensive disaster recovery and business continuity plans, including regular stress testing against scenarios such as coordinated exchange outages, blockchain consensus failures, and large-scale private key compromise events. Custody providers must demonstrate the ability to restore full service within 24 hours of a major operational disruption, a standard that some industry participants have described as ambitious given current technological capabilities.

Key management procedures receive particular attention in the guidelines. The EBA is proposing mandatory multi-signature arrangements for all institutional custody operations, with a minimum of three signatories required for transactions exceeding €1 million. Hardware security modules (HSMs) certified to FIPS 140-2 Level 3 or higher would be required for all key generation and storage operations.

Implications for Traditional Banks

The proposed requirements carry significant implications for traditional banking institutions that have been exploring crypto custody services. Major European banks including BNP Paribas, Societe Generale, and Deutsche Bank have announced plans to offer digital asset custody following the adoption of MiCA, but the EBA’s prudential standards may force some institutions to reassess the economics of these offerings.

Industry estimates suggest that compliance with the full suite of proposed requirements could increase operational costs for bank-affiliated custody services by 30-40% compared to initial projections. This cost increase reflects not only the capital requirements but also the investment in cold storage infrastructure, insurance premiums, key management systems, and the specialized personnel needed to operate them.

However, the clear regulatory framework may ultimately benefit established banks by creating a competitive moat against less capitalized entrants. The capital and operational requirements could effectively price out smaller or less well-resourced custody providers, consolidating the market among institutions with existing compliance infrastructure and deep balance sheets.

Industry Response and Consultation

The European crypto industry’s response to the proposal has been measured, with most major industry associations acknowledging the need for prudential standards while lobbying for adjustments to specific provisions. The European Crypto Initiative, a Brussels-based industry group, has expressed concern about the cold storage threshold, arguing that 80% may be too restrictive for custody providers serving active trading clients who require frequent access to their assets.

The European Central Bank, which was consulted during the drafting process, has reportedly endorsed the general approach while advocating for even stricter requirements for systemically important custody providers. The ECB’s position reflects growing concern among monetary authorities about the concentration of crypto-assets among a small number of institutional custodians and the potential systemic implications of a major custody failure.

The public consultation period will remain open through February 2026, with the EBA expected to publish final technical standards by June 2026. EU member states would then have six months to implement the standards into national law, meaning full enforcement could begin by early 2027.

Why This Matters

The EBA’s custody standards represent the most detailed prudential framework for crypto-asset custody anywhere in the world. While other jurisdictions — including the United States, United Kingdom, and Japan — have issued guidance on crypto custody, none has attempted to build a comprehensive capital adequacy and operational resilience regime comparable to what the EBA is proposing.

For the European crypto industry, the standards represent both a challenge and an opportunity. The compliance burden will be substantial, and some smaller custody providers may exit the market or consolidate with larger players. But the resulting regulatory clarity could position the EU as the most attractive jurisdiction for institutional crypto custody, potentially drawing assets and talent away from less regulated markets.

The global regulatory community will be watching closely. If the EBA’s approach succeeds in balancing investor protection with industry viability, it could serve as a template for custody regulation worldwide. If it proves too restrictive, it could drive custody services offshore and undermine the EU’s ambitions to become a global hub for digital asset innovation.

For retail and institutional investors alike, the message is clear: the era of unregulated crypto custody is ending in Europe. The question now is whether the new framework will raise the bar high enough to protect clients without pricing out the innovation that makes digital assets compelling in the first place.

Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Cryptocurrency investments carry significant risk, including the potential loss of principal. Readers should conduct their own research and consult with qualified financial and legal advisors before making investment decisions. The regulatory landscape for digital assets is evolving rapidly, and requirements may change.