iGaming Cybersecurity: What Player Data Protection Standards Apply in 2026

iGaming Cybersecurity Standards Have Never Been More Consequential

The online gambling sector has faced a sustained period of elevated cyber threat activity, with several high-profile operators across the casino and sports betting space reporting data incidents involving player personal information. Against this backdrop, regulators in the UK, Malta, and the EU more broadly are either tightening existing cybersecurity expectations or actively developing new technical standards that will become licence conditions.

What the MGA Requires

The Malta Gaming Authority's player data protection framework requires MGA-licensed operators to:

• Implement and maintain a documented Information Security Management System (ISMS) aligned to ISO 27001 or an equivalent standard
• Report data breaches to the MGA within 72 hours of becoming aware of an incident, and notify affected players where the breach creates significant risk
• Conduct annual penetration testing by accredited third-party security firms, with results and remediation plans available to the MGA on request
• Encrypt all player financial data at rest and in transit using current industry-standard encryption protocols (minimum AES-256)

The MGA also expects operators to maintain written business continuity and disaster recovery plans that have been tested within the preceding 12 months.

UKGC Cybersecurity Obligations

The UKGC's licence conditions require operators to have systems that protect players' funds and personal data in line with applicable data protection law — specifically the UK GDPR and the Data Protection Act 2018. The Commission has indicated in recent supervisory communications that it regards inadequate cybersecurity as a potential threat to the licensing objectives, which means security failures can trigger licence review proceedings.

In practice, UKGC-regulated operators are expected to demonstrate compliance with the Cyber Essentials Plus framework as a minimum, and many larger operators hold ISO 27001 certification as part of their broader compliance infrastructure.

Current Threat Landscape

Social engineering attacks targeting casino staff — particularly those with privileged access to player account systems — have been identified as the primary vector in several recent sector incidents. Multi-factor authentication on privileged access accounts is now considered a baseline requirement by most regulators, and operators lacking MFA on administrative systems face increasing scrutiny.

Ransomware targeting both operational systems and player databases remains a persistent threat, with the gaming sector identified by cybersecurity firms as a high-value target due to the combination of financial data, personal identity data, and real-time transaction processing.

Industry Impact

Cybersecurity has shifted from a back-office IT function to a board-level governance concern in iGaming. Operators that invest proactively in security infrastructure avoid the compounding costs of incident response, regulatory enforcement action, player notification requirements, and reputational damage that follow a significant data breach. Regulators across multiple jurisdictions are expected to publish enhanced technical security standards guidance before the end of 2026.