Skip to content Skip to sidebar Skip to footer
Menu
Menu
Gaming

NIS 2 Gambling Obligations – What Changes for Operators and Suppliers

12 hours ago
7 minRead time
nis gambling obligations
Share This Article
Share Post

Gambling operators and their suppliers must address the NIS 2 obligations, which impose stringent cybersecurity requirements across the European Union.ย 

The NIS 2 Directive (Directive (EU) 2022/2555) aims to enhance the cybersecurity resilience of severalย sectors, including gambling, by establishing a high common level of cybersecurity across the EU.

Applicability of NIS 2 to the Gambling Sector

The NIS2 Directive applies to entities categorized as “essential” or “important” based on their sector, size, and impact on societal and economic activities. While gambling is not explicitly listed among the critical sectors, gambling operators and their suppliers may fall under the scope of NIS2 if they meet certain criteria:

  • Digital Service Providers: Online gambling platforms offering services like online marketplaces or social networking features and

  • Managed Service Providers: Suppliers providing IT services, including cloud computing, data centers, or cybersecurity solutions to gambling operators.

Before, it’s imperative for gambling operators and their associated suppliers to assess their operations against NIS 2 criteria to determine applicability and understand their NIS 2 obligations.

Italy’s Implementation: Legislative Decree No. 138/2024

Italy transposed the NIS 2 Directive into national law through Legislative Decree No. 138, effective from October 18, 2024. This decree expands the scope of cybersecurity obligations and introduces specific deadlines for compliance.

Key Deadlines:

  • January 1 โ€“ February 28, 2025: Entities identified under Article 3 were required to register on the designated Italian portal, providing specified data.

  • March 31, 2025: The National Cybersecurity Agency (ACN) compiled a list of affected entities.

  • April 15, 2025: ACN communicated inclusion, permanence, or removal from the list to the entities.

Entities becoming affected by December 31, 2025, have additional transition periods:

  • Within 9 months: Compliance with incident reporting obligations.

  • Within 18 months: Compliance with provisions for cybersecurity training, governance, and risk management.

You can read this article that provides a detailed outline of deadlines and obligations in Italy: NIS 2 in Italy โ€“ Deadlines and Obligations

Malta’s Approach to NIS 2 – Legal Notice 71 of 2025

Malta is the country of establishment of several gambling operators. It transposed the NIS 2 Directive into national law through Legal Notice 71 of 2025, known as the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025″ย published on March 8, 2025. This framework replaces the previous NIS 1 regime and introduces stricter cybersecurity obligations, reporting requirements, and enforcement mechanisms for entities deemed to be “essential” or “important”.

Key Aspects:

  • Self-Registration Mechanism: Entities must register through a national self-registration mechanism established by the Critical Infrastructure Protection Department (CIPD).

  • Competent Authorities: The CIPD acts as the primary regulatory authority for cybersecurity, overseeing compliance, conducting security audits, and enforcing penalties for non-compliance. Malta’s Computer Security Incident Response Team (CSIRT) plays a central role in coordinating cybersecurity responses and facilitating coordinated vulnerability disclosure processes.

  • Coordinated Vulnerability Disclosure (CVD): A dedicated framework encourages reporting potential vulnerabilities in ICT products, processes, or services to relevant entities, with CSIRT acting as the national coordinator for such disclosures.

You can read the following article on the topic “Gambling operators shall deal with the implementation of NIS 2 in Malta“.

Core Obligations Under NIS 2

Entities falling under NIS 2 must adhere to comprehensive cybersecurity obligations:

  • Cybersecurity Risk Management: Implement appropriate technical and organizational measures to manage cybersecurity risks, including risk analysis, incident handling, business continuity, and supply chain security.

  • Incident Reporting: Report significant incidents to the competent national authority or Computer Security Incident Response Team (CSIRT) within 24 hours of becoming aware, followed by a detailed report within 72 hours, and a final report within one month.

  • Governance and Accountability: Management bodies are responsible for approving and overseeing cybersecurity measures. They must undergo regular training and can be held liable for non-compliance.

  • Supply Chain Security: Assess and manage risks associated with suppliers and service providers, ensuring they also meet cybersecurity standards.

  • Registration and Information Provision: Provide necessary information to national authorities, including details about services, contact information, and designated representatives.

  • Penalties for Non-Compliance: Failure to comply can result in administrative fines of up to โ‚ฌ10 million or 2% of the total annual worldwide turnover, whichever is higher. Additional penalties change depending on the country of implementation, and on the topic you can read this article NIS 2 โ€“ Personal Liability of Directors For Lack of Compliance is a Warning Message

DLA Piper’s Role in Facilitating Compliance

At DLA Piper, we offer comprehensive support to gambling operators and their suppliers in addressing NIS2 compliance:

  • Scoping and Applicability Assessment: We assist in determining whether your organization falls within the scope of NIS2, considering factors like size, sector, and services provided.

  • Registration Assistance: Our team guides you through the registration process with the appropriate national authorities, ensuring timely and accurate submissions.

  • Cybersecurity Framework Development: We help design and implement robust cybersecurity measures tailored to your organization’s needs, aligning with NIS2 requirements.

  • Incident Response Planning: We assist in developing effective incident response plans, ensuring rapid and compliant reactions to cybersecurity incidents.

  • Training and Awareness: We provide training programs for management and staff to foster a culture of cybersecurity awareness and compliance.

  • Legal and Regulatory Guidance: Our experts offer ongoing legal advice to navigate the evolving regulatory landscape, ensuring continuous compliance.ย 

The implementation of the NIS 2 Directive marks a significant shift in the cybersecurity landscape for gambling operators and their suppliers. With stringent obligations and tight deadlines, understanding and adhering to NIS 2 obligations is crucial. DLA Piper stands ready to assist in addressing this complex regulatory landscape, ensuring your organization remains compliant and secure.

Feel free to contact me, if you want to know more. Also, don’t miss DLA Piper’s Gambling Laws of the World Guide.

(Visited 3 times, 3 visits today)
Tags:
0LikesShare Post