The EU securities regulator will assess custody providers’ key management, incident response and reliance on third-party technology providers.