The gambling regulator in Denmark recently updated its requirements for certification of gaming operators and initiated a consultation period related to the amendments.
The Danish Gambling Authority (DGA) announced on its website changes affecting certification for land-based gaming operators, online bookmakers and iGaming casino companies, while allowing interested parties almost two months to comment on the updates.
There was no specific date set for the completion of the regulatory update, though the DGA is expecting the proposed changes to come into force in 2022, setting August 31, 2021 as the final deadline for submitting comments regarding the proposed changes by all interested parties.
Requirements for Testing
A previous requirement for testing organizations to have at least three years of experience is now removed, the DGA outlined, as it prevented testing organizations which were recently established from performing certification work as per the certification program. The DGA is now shifting its focus towards the people involved in the actual work, rather than the amount of years an organization has been in the business, keeping current employees’ requirements untouched.
The DGA also stated it will only accept ISO 17025 looking forward, removing ISO 17020 as a possible accreditation, as an ISO accreditation will no longer be needed to perform vulnerability scans and penetration testing, but maintaining the need for an Approved Scanning Vendor status in accordance with OCI DSS.
The DGA clarified that a PCI-approved vulnerability scan should be completed prior to granting a license and after the license is received on a regular 3-month basis, as the requirement was not clear enough, which led to the use of vulnerability scans of a lower standard.
A vulnerability scan completed ahead of a penetration test is considered a valid quarterly vulnerability scan if it is completed as per the requirements, the DGA added.
Storing Customer Data
With regards to storing customer data in ROFUS, the national register for self-excluded gamblers, the DGA now removed that requirement as it believes that “licence holders as a rule should not store information about customers’ status in ROFUS after the information has been used for the purpose, for which it was collected.”
The watchdog underscored that an updated standard report to accompany the changes, as well as several linguistic adjustments and alterations to guidance texts will be released, as soon as changes enter into force.
In terms of new games which do not fit the existing set of reporting requirements and can cause extensive development work on the regulator’s behalf, the DGA is adamant it should be informed long before the launch.