The European Securities and Markets Authority (ESMA) has called for stricter cybersecurity measures under the EU’s Markets in Crypto-Assets Regulation (MiCA).
This comes as the crypto industry continues to be plagued by cyberattacks, with over $1.5 billion stolen from crypto companies in the first half of 2024.
ESMA believes it’s time for lawmakers in Brussels to enforce third-party cybersecurity audits to protect the industry from hackers.
The regulator wants to see these audits as a mandatory requirement for crypto companies under the new MiCA regulation, which is set to fully roll out in December.
Pushback from the European Commission
The EU says MiCA will bring order to the industry. The regulation covers a broad range of entities, including exchanges, brokers, custodians, and trading platforms.
While ESMA is adamant about the need for tighter cybersecurity, the European Commission isn’t sold on the idea. They argue that ESMA is overstepping its boundaries by trying to add this new requirement to MiCA.
The commission has pushed back, claiming that the current legislation doesn’t support the addition of third-party cyber audits.
Blockchain analytics firm Chainalysis reported that crypto thefts have risen by 84% compared to the same period in 2023. More than 150 hacking incidents were recorded in H1, with centralized exchanges being the prime targets.
Chainalysis pointed out that crypto thieves are increasingly focusing their efforts on these platforms.
Recent high-profile attacks include a $45 million theft from Singapore-based exchange BingX and a $230 million heist from WazirX, an Indian exchange that collapsed after the attack.
Under MiCA, crypto companies will need to get licensed by one of the EU’s member countries. This includes proving that their executives are “fit and proper” and demonstrating that their anti-money laundering controls are solid.
Regulatory pressures
Charles Kerrigan, a partner at law firm CMS, said, “Security’s not something you can take lightly. You’ve got to spend money on security.”
Arvin Abraham, a partner at Goodwin, also weighed in, stating that a standard approach to security would benefit all exchanges, especially as hackers become more sophisticated.
ESMA’s push for these measures comes as MiCA is set to roll out in phases. The key deadlines are December 2024 and July 2026, by which time all provisions will be fully implemented.
But the regulator doesn’t want to wait until it’s too late. They believe that if these companies are going to operate under the MiCA framework, they need to be prepared for the kinds of cyber threats that have already cost the industry billions.
MiCA-compliant tokens like Circle’s EURC and Société Générale’s EURCV are quickly capturing market share. As of press time, MiCA-compliant stablecoins make up about 30% of the total euro stablecoin market.
The total market capitalization for euro stablecoins has surged to around $5.4 billion (€5 billion), with compliant tokens driving most of the growth.
MiCA has also led to a 50% increase in trading volumes for compliant tokens since the regulation’s introduction.
In addition to MiCA, the European Banking Authority (EBA) has released new guidelines that will affect issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs).
These guidelines focus on redemption plans and liquidity management. Issuers are now required to have clear processes for liquidating reserve assets and managing claims from token holders.