Curaçao Sets 12-Month Cybersecurity Deadline for Operators

The Curaçao Gaming Authority (CGA) has opened consultation on new cybersecurity rules that will become mandatory for all licensed gambling operators and B2B suppliers. The framework introduces baseline CIS security controls, mandatory audits, and 24-hour incident reporting requirements, with licensees given 12 months to meet the minimum standards once the rules take effect.

For operators, the biggest change is the amount of direct oversight the CGA wants over daily technical operations. The proposed rules require multi-factor authentication on all internet-facing systems, monthly vulnerability scans, centralized audit logging, and regular asset reviews. The regulator also wants operators to report incidents tied to player funds, personal data, gaming integrity, or downtime within 24 hours.

The framework goes further than many offshore licensing models by placing direct compliance responsibility on B2B suppliers as well. Platform providers, aggregators, RNG suppliers, and sports data companies will all face separate accountability under the rules instead of sitting under the operator’s compliance umbrella.

Operators will also need to check suppliers more closely. The rules require yearly certification checks, audit rights in supplier contracts, and procedures for removing games or services if a supplier loses certification or fails security rules. The CGA also introduced requirements for aggregators and sports data providers, including encrypted feed connections and monitoring for unusual activity.

The regulator mapped the framework against ISO/IEC 27001:2022 standards to help operators align with broader security certification processes. At the same time, the CGA kept several operational controls that target smaller gambling businesses directly, including DNS filtering and weekly unauthorized asset detection.

Operators that fail to meet the requirements could face financial penalties, licence suspension, or permanent licence loss under the proposed framework. The CGA also plans to use remote scans, automated compliance checks, and unannounced inspections to monitor higher-risk licensees.

💡TGJ Take

These rules raise compliance costs for operators and suppliers in Curaçao. B2B providers will now face direct responsibility from the regulator instead of relying on operators to handle most compliance issues. Operators will also need to spend more time checking supplier certifications, security controls, and incident procedures. Larger companies already working under similar rules in other regulated markets will likely adjust faster than smaller suppliers.