The CGA just published a 62-page cybersecurity framework for public consultation — open until 18 June 2026. For the first time, meeting recognised international security standards will be a mandatory condition of holding a CGA licence, for both operators and their B2B suppliers.
The baseline is CIS Controls Implementation Group 1 — covering access controls, vulnerability management, data backup, audit logging, incident response, staff training, and anti-malware. The CGA also expects most operators to progress to the more demanding IG2 level within 24 to 36 months.
The part most relevant to players: operators must notify the regulator within 24 hours of any cybersecurity incident affecting player funds, personal data, or gaming integrity. That's a direct player protection measure and a significant departure from the previous situation where operators could essentially handle breaches however they chose.
B2B providers — platforms, aggregators, sports data suppliers — are also covered as independent licence holders with their own compliance obligations. That's important because a lot of player data exposure historically came through third-party systems rather than operators directly.
The CGA has rejected around 38% of direct licence applications so far. Whether the cybersecurity framework gets meaningfully enforced is the real question — but the direction of travel is clearly toward something closer to what MGA or UKGC demand.
The baseline is CIS Controls Implementation Group 1 — covering access controls, vulnerability management, data backup, audit logging, incident response, staff training, and anti-malware. The CGA also expects most operators to progress to the more demanding IG2 level within 24 to 36 months.
The part most relevant to players: operators must notify the regulator within 24 hours of any cybersecurity incident affecting player funds, personal data, or gaming integrity. That's a direct player protection measure and a significant departure from the previous situation where operators could essentially handle breaches however they chose.
B2B providers — platforms, aggregators, sports data suppliers — are also covered as independent licence holders with their own compliance obligations. That's important because a lot of player data exposure historically came through third-party systems rather than operators directly.
The CGA has rejected around 38% of direct licence applications so far. Whether the cybersecurity framework gets meaningfully enforced is the real question — but the direction of travel is clearly toward something closer to what MGA or UKGC demand.
