ESMA's April 2026 supervisory statement confirmed July 1, 2026 as the hard cutoff for crypto-asset service providers (CASPs) operating in the EU. Any firm providing crypto-asset services without MiCA authorisation after that date is in breach of EU law and must immediately cease operations. National competent authorities have been instructed to apply heightened scrutiny to last-minute applications — regulators will not tolerate deadline-day filings as a delay tactic. Firms that began authorisation processes late face heightened NCA scrutiny and may not receive decisions in time.

What to do: Confirm MiCA authorisation status across every EU member state now. If not licensed, begin client offboarding. Grandfathering windows are closing.

Source: ESMA MiCA Supervisory Page

BCBS ICT report and crypto prudential update expected June 2026. The Basel Committee concluded its May 19–20 meeting in Basel by agreeing to publish a report on ICT risk management approaches to non-malicious incidents in June 2026, plus a targeted review update of the crypto prudential standard (CRE55/SCO60) later in 2026. Banks with cryptoasset holdings should monitor both publications for supervisory expectations they will need to benchmark against. Source: BIS, May 20, 2026

SEC fines Foot Locker $148,000 for whistleblower-award waivers. On May 22, 2026, the SEC settled an enforcement action against Foot Locker under Rule 21F-17. The company's separation agreements required departing employees to waive SEC whistleblower award rights — 148 violative agreements at $1,000 each. The action confirms the Commission enforces structural whistleblower protections even during periods of low overall enforcement activity. Source: SEC Whistleblower Press Releases

ESMA T+1 consultation open until July 7. ESMA published a consultation on May 26 proposing amendments to CSDR Article 6(2) guidelines to support the EU's planned T+1 settlement cycle (target: October 11, 2027). Asset managers, custodians, broker-dealers, and CCPs should assess post-trade messaging infrastructure against the proposed changes and submit responses by July 7, 2026. Source: ESMA T+1 Consultation

Basel III Endgame comment period closes June 18 — 20 days away. The Fed, OCC, and FDIC March 2026 re-proposal projects net reductions in capital requirements for most bank categories, reversing the substantially higher levels proposed in 2023. If your institution has not finalised its comment letter, the window is closing. Source: Federal Reserve, March 19, 2026

Audit your separation and severance agreement templates for clauses that condition benefits on waiving SEC whistleblower award rights — and remove any such language immediately.

Next week kicks off with Cybersecurity, Data Security & Cloud Security — enforcement actions, new agency guidance, and cloud policy updates affecting your security programme.

CyberEyeQ — Actionable Regulatory Intelligence | [email protected]