The Curaçao Gaming Authority has released its first formal Information Security Control Requirements document for public consultation, setting out a comprehensive cybersecurity baseline that will become a mandatory condition of licensure for all CGA-licensed operators, both B2C and B2B.
Published in April 2026 under the authority of the Landsverordening op de Kansspelen (LOK) and Landsverordening Casinowezen Curaçao (LCC), the 62-page framework represents a significant step in the regulator’s push to modernise oversight standards. Industry stakeholders have until 18 June 2026 to submit feedback to [email protected].
The framework adopts the Center for Internet Security (CIS) Controls Implementation Group 1 (IG1) as its enforceable baseline, a set of essential cyber hygiene practices designed for organizations with limited technical resources. But the CGA is clear that IG1 is a floor, not a ceiling.
The document outlines a three-tier progression: IG1 as the mandatory foundation, IG2 as the recommended target within 24 to 36 months, and IG3 as a strategic goal for large enterprises with mature security operations. The CGA explicitly states it views IG2 as the appropriate cybersecurity target for most operators in the sector, citing the industry’s exposure to sensitive player data, financial systems, and elevated threat vectors.
All licensed operators will have 12 months from the date of license issuance or the guidelines’ publication to demonstrate IG1 compliance, through annual self-assessments, mandatory third-party audits for online operators, and ongoing CGA monitoring.
The controls span 20 domains and cover the full operational lifecycle of a gaming business. Key obligations include maintaining hardware and software asset inventories reviewed at least twice annually; applying secure configurations and disabling default accounts on all systems; enforcing multi-factor authentication for all internet-facing applications, remote access, and administrative functions; and running vulnerability scans at minimum monthly.
Audit logging requirements are notably detailed for a gaming context, operators must capture gameplay and betting transactions, jackpot events, cash and credit movement, and all administrative system changes, stored in tamper-resistant, centrally managed repositories. The framework also mandates structured incident response, including a hard 24-hour notification deadline to the CGA for incidents affecting gaming integrity, player funds, personal data, or system availability. Failure to notify constitutes a breach of license conditions.
One of the more consequential aspects of the framework is its explicit application to B2B gaming technology providers as primary licensees — not merely as entities referenced in a B2C operator’s compliance documentation. The CGA makes clear that both sides of the supply chain carry direct regulatory accountability.
The document introduces a shared responsibility matrix covering game and RNG certification, platform security, player data protection, and incident notification. B2B providers must hold and maintain certifications and proactively notify partners and the CGA of any lapse or scope change. B2C operators, for their part, must verify certification status at onboarding and at minimum annually, include right-to-audit provisions in vendor contracts, and suspend affected game content if a B2B provider’s certifications are withdrawn.
Content aggregators and sports data feed providers are specifically called out, with requirements for authenticated and encrypted feed channels, cryptographic integrity validation, anomaly monitoring, and documented suspension procedures when feed integrity cannot be assured.
The framework is deliberately mapped against ISO/IEC 27001:2022 throughout, with Annex A control references cited alongside each CIS requirement. The CGA says this is designed to allow operators to integrate the controls directly into an Information Security Management System and work toward ISO certification if desired. Controls without direct ISO equivalents, such as weekly unauthorized asset detection and DNS filtering, are retained on the basis of their practical risk-reduction value for smaller or hybrid environments.
The consequences section is unambiguous. Non-compliance can trigger formal written warnings, compliance orders, administrative financial penalties scaled to the severity of the violation, and temporary or permanent license suspension. The CGA also reserves the right to conduct unannounced assessments and deploy remote scanning tools, automated compliance verification, and on-site inspections — particularly for land-based operations or where high-risk indicators are identified.
The consultation period runs until 18th June 2026. Given the framework’s direct impact on both operator compliance costs and vendor contract structures across the CGA ecosystem, engagement from both B2C operators and B2B platform providers is likely to be substantive. Feedback can be submitted to [email protected]. The full consultation document is available on the CGA’s official website.
