WILLEMSTAD – The Curaçao Gaming Authority (CGA) has published its first formal Information Security Control Requirements framework for public consultation, introducing sweeping new cybersecurity obligations that will become mandatory for all licensed online gaming operators and suppliers on the island.
The new 62-page framework, released in April 2026 under Curaçao’s updated gaming legislation, marks a major step in the government’s effort to modernize regulation of the island’s online gambling industry.
According to the CGA, all licensed B2C and B2B operators will be required to comply with internationally recognized cybersecurity standards as part of their licensing conditions.
The framework adopts the internationally known Center for Internet Security (CIS) Controls Implementation Group 1 (IG1) as the mandatory baseline for operators. However, the regulator stressed that this minimum standard is only the starting point.
The CGA said it expects most operators to eventually move toward the more advanced IG2 cybersecurity level within the next 24 to 36 months because of the gaming sector’s exposure to sensitive player data, payment systems and cyber threats.
Under the proposed rules, operators will have 12 months from the issuance of their license — or from the publication of the guidelines — to demonstrate compliance with the IG1 standards.
The requirements include maintaining updated hardware and software inventories, mandatory multi-factor authentication for internet-facing systems, monthly vulnerability scans and detailed audit logging of gameplay transactions, jackpots, financial movements and administrative system changes.
The framework also introduces strict incident-reporting obligations. Operators must notify the CGA within 24 hours of cybersecurity incidents affecting gaming integrity, player funds, personal data or system availability. Failure to report incidents could constitute a breach of licensing conditions.
One of the most significant changes is that the new rules will apply directly not only to online casino operators, but also to B2B technology providers supplying platforms, games and sports betting data.
According to the CGA, both sides of the gaming supply chain will carry direct regulatory responsibility.
The document also places special emphasis on content aggregators and sports data feed providers, requiring encrypted connections, integrity monitoring and documented suspension procedures if data reliability cannot be guaranteed.
The framework is mapped against ISO/IEC 27001:2022 standards, allowing companies to integrate the requirements into broader information security management systems and potentially work toward ISO certification.
The CGA warned that non-compliance could result in formal warnings, financial penalties, compliance orders or even temporary or permanent license suspension. The regulator also reserves the right to conduct unannounced inspections, remote compliance scans and on-site audits.
The public consultation period runs until June 18, 2026, after which the framework is expected to become part of Curaçao’s strengthened gaming oversight regime.