Curaçao Gaming Authority Unveils Mandatory Cybersecurity Framework for Licensed Operators

The Curaçao Gaming Authority has officially published its first Information Security Control Requirements framework for public consultation, introducing a detailed cybersecurity baseline that will become a compulsory licensing condition for every operator licensed under the CGA, including both B2C and B2B entities.

Released in April 2026 under the authority of the Landsverordening op de Kansspelen (LOK) and the Landsverordening Casinowezen Curaçao (LCC), the 62-page framework marks a major development in the regulator’s ongoing effort to modernize oversight standards within the jurisdiction. Stakeholders across the industry have until 18 June 2026 to provide comments and feedback through the official consultation process via [onlinegaming@cga.cw](mailto:onlinegaming@cga.cw).

At the center of the framework is the adoption of the Center for Internet Security (CIS) Controls Implementation Group 1 (IG1) as the mandatory cybersecurity baseline. The IG1 standard consists of essential cyber hygiene measures aimed primarily at organizations operating with limited technical resources. However, the CGA emphasizes that IG1 should not be viewed as the ultimate target for operators.

The document establishes a structured three-level cybersecurity progression model. IG1 will serve as the enforceable minimum standard, IG2 has been identified as the recommended operational objective to be achieved within 24 to 36 months, while IG3 is presented as a long-term strategic goal designed for larger enterprises with advanced security operations. According to the regulator, IG2 represents the most appropriate cybersecurity standard for the majority of operators due to the industry’s reliance on sensitive player information, financial infrastructures, and exposure to heightened cyber threats.

Under the proposed rules, all licensed operators will be granted a 12-month period from either the issuance of their license or the publication of the framework to demonstrate compliance with IG1 requirements. Compliance verification will involve annual self-assessments, compulsory third-party audits for online operators, and continuous oversight conducted by the CGA itself.

The cybersecurity controls outlined in the framework extend across 20 operational domains and address the entire lifecycle of a gaming operation. Among the most significant obligations are the maintenance of hardware and software asset inventories, which must be reviewed at least twice every year. Operators will also be required to implement secure system configurations, disable default system accounts, enforce multi-factor authentication for all internet-facing services, remote access systems, and administrative functions, while vulnerability scans must be conducted no less than once per month.

The framework contains particularly extensive audit logging obligations tailored specifically to the gaming environment. Operators will be expected to capture and retain records relating to gameplay activity, betting transactions, jackpot events, movements of cash and credit, as well as every administrative modification made within their systems. These logs must be stored in centrally managed repositories designed to resist tampering.

Incident response procedures also form a critical part of the proposed standards. The framework establishes a strict 24-hour reporting obligation to the CGA for any incident impacting gaming integrity, player funds, personal information, or system availability. Failure to comply with this reporting requirement will constitute a direct breach of licensing conditions.

One of the most significant features of the framework is its direct application to B2B gaming technology providers as independent primary licensees rather than simply entities referenced within a B2C operator’s compliance program. The CGA explicitly clarifies that accountability for cybersecurity compliance applies equally across both sides of the gaming supply chain.

To reinforce this principle, the framework introduces a shared responsibility matrix covering multiple operational areas, including game and random number generator certification, platform security, player data protection, and incident reporting obligations. B2B providers will be required to maintain all relevant certifications and proactively notify both their commercial partners and the CGA whenever certifications lapse or their scope changes.

At the same time, B2C operators will be obligated to verify certification statuses during onboarding procedures and at least once annually thereafter. Vendor contracts must include right-to-audit clauses, and operators will be required to suspend affected gaming content whenever a B2B provider’s certifications are withdrawn.

The framework also specifically addresses content aggregators and sports data feed providers. These entities will need to ensure that all feed channels are authenticated and encrypted, implement cryptographic integrity validation mechanisms, monitor systems for anomalies, and maintain documented procedures allowing feeds to be suspended whenever integrity can no longer be guaranteed.

Throughout the document, the framework has been deliberately aligned with ISO/IEC 27001:2022 standards. Annex A control references are mapped directly alongside each CIS requirement, enabling operators to integrate the controls into an Information Security Management System and potentially pursue ISO certification if they choose to do so.

The CGA additionally explains that certain controls lacking direct ISO equivalents — including weekly unauthorized asset detection procedures and DNS filtering measures — have nonetheless been retained because of their practical effectiveness in reducing operational risks, particularly for smaller organizations and hybrid operational environments.

The enforcement section of the framework leaves little room for ambiguity regarding potential penalties. Operators failing to comply with the requirements may face formal written warnings, compliance directives, administrative financial sanctions proportionate to the seriousness of violations, and even temporary or permanent suspension of their licenses.

The CGA also reserves broad supervisory powers under the proposal, including the authority to conduct unannounced assessments, deploy remote scanning technologies, perform automated compliance verification, and carry out on-site inspections. These powers are expected to be exercised particularly in relation to land-based operators or situations involving elevated risk indicators.

The consultation process will remain open until 18 June 2026, and given the framework’s substantial impact on compliance obligations, operational expenses, and vendor contractual arrangements throughout the CGA ecosystem, participation from both B2C operators and B2B platform suppliers is expected to be extensive. Industry participants may submit their observations and recommendations to [onlinegaming@cga.cw](mailto:onlinegaming@cga.cw), while the complete consultation document is available through the CGA’s official website.

By fLEXI tEAM