In the face of pushback from policymakers, Europe’s securities regulators argue that the region’s new crypto rules should require independent cybersecurity audits of crypto firms.
Earlier in the year, the European Securities and Markets Authority (ESMA) issued draft standards under the region’s new crypto rules, known as the Markets in Crypto-Assets Regulation (MiCA), which it submitted to the European Commission (EC) for approval.
In September, the EC raised concerns with a couple of those proposed standards, citing concerns about privacy and regulatory burden, and it called on ESMA to revise its proposed standards.
In a regulatory opinion issued on Wednesday, ESMA acknowledged some of the issues raised by European policymakers, but it also reiterated the need to ensure adequate safeguards for investors when dealing with crypto firms.
“This will increase the resilience of the cryptoassets market and enhance investor protection in the cryptoassets space,” ESMA said.
Specifically, ESMA recommended that the MiCA rules require an independent cybersecurity audit to ensure that crypto firms “are subject to a thorough screening process … prior to their entering into the cryptoassets market.”
“[T]echnology (in particular, distributed ledger technology) and IT systems are at the core of cryptoasset service providers’ activities, and this issue is of paramount importance and raises substantial risk at the authorization phase, which would be mitigated by performing an external auditor review,” it said. The lack of external audit requirement in the MiCA rules may “lead to fragmentation across the EU,” it added.
ESMA also proposed revisions to its standard designed to screen members of management at crypto firms for past violations of various laws and regulations.
“ESMA is of the view that the proposed amendment would resolve concerns raised by the EC while ensuring that essential information for evaluating the ‘good repute’ of members of the management body remains intact,” it said.
The revised proposals require approval from the EC first, followed by the European Parliament and Council.