The Curaçao Gaming Authority (CGA) has opened a public consultation on its first formal Information Security Control Requirements framework. This framework introduces a mandatory cybersecurity baseline that will apply to all licensed B2C and B2B operators.
Published in April 2026 under the Landsverordening op de Kansspelen (LOK) and Landsverordening Casinowezen Curaçao (LCC), the 62-page framework forms part of the regulator’s broader effort to modernize compliance standards. Furthermore, it aims to strengthen cybersecurity across the gaming sector. Industry stakeholders can submit feedback until 18 June 2026.
New Cybersecurity Standards for Operators
The framework adopts the Center for Internet Security (CIS) Controls Implementation Group 1 (IG1) as the minimum compliance standard for all licensees. The CGA, however, emphasized that IG1 represents a starting point rather than a long-term objective.
Under the proposed structure, operators must achieve IG1 compliance within 12 months of receiving a license or the framework’s publication. The regulator recommends that operators progress to IG2 within 24 to 36 months. Meanwhile, IG3 serves as a strategic target for larger organizations with advanced security capabilities.
The CGA identified IG2 as the most appropriate long-term standard for the gaming industry due to its exposure to sensitive customer information, financial transactions, and elevated cyber risks.
Compliance and Reporting Requirements
The framework introduces extensive operational controls across 20 security domains. Operators must maintain updated hardware and software inventories, apply secure system configurations, enforce multi-factor authentication for critical systems, and conduct vulnerability scans at least monthly.
The regulator also established detailed audit logging requirements tailored to gaming operations. Licensees must record gameplay activity, betting transactions, jackpot events, financial movements, and administrative system changes in tamper-resistant centralized repositories.
Incident reporting obligations are equally strict. Operators must notify the CGA within 24 hours of any incident affecting gaming integrity, player funds, personal data, or system availability. Failure to meet the reporting deadline could result in a breach of licensing conditions.
B2B Providers Face Direct Accountability
One of the framework’s most significant provisions extends direct compliance obligations to B2B technology providers. Rather than relying solely on operator oversight, the CGA will hold suppliers independently accountable for meeting regulatory requirements.
The framework introduces a shared responsibility model covering platform security, player data protection, game and RNG certification, and incident reporting. B2B providers must maintain valid certifications and immediately disclose any lapses. In addition, B2C operators must verify certification status, include audit rights in vendor agreements, and suspend affected content if certifications are withdrawn.
The rules also apply to content aggregators and sports data providers, requiring encrypted data feeds, integrity monitoring, and documented procedures for suspending compromised services.
Strong Enforcement Measures
The framework aligns closely with ISO/IEC 27001:2022 standards, enabling operators to integrate the controls into broader information security management systems.
To ensure compliance, the CGA may issue warnings, compliance orders, financial penalties, or suspend licenses for serious violations. The regulator also reserves the right to conduct unannounced inspections, remote security assessments, and automated compliance checks.
With the consultation period running until 18 June, the proposal is expected to generate significant feedback from both operators and technology providers. This is due to its potential impact on compliance costs, vendor relationships, and ongoing licensing obligations.
