Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • NIS 2 and Gambling – A Strategic Imperative for Gaming Operators and their Suppliers
28 May 20255 minute read

NIS 2 and Gambling – A Strategic Imperative for Gaming Operators and their Suppliers

Written by:Giulio Coraggio

The implementation of the NIS 2 Directive (Directive (EU) 2022/2555) introduces a stringent cybersecurity framework applicable across the European Union for gambling operators and their suppliers that are increasingly required to assess their cybersecurity posture and ensure compliance with the Directive’s robust obligations.

 

Overview of the NIS 2 Directive and Its Applicability to the Gambling Sector

The NIS 2 Directive aims to enhance the overall resilience of essential and important entities by establishing a high common level of cybersecurity across Member States. While the gambling sector is not explicitly identified among the Directive’s critical sectors, gambling operators and their service providers may nonetheless fall within its scope if they meet specific criteria concerning their size, service nature, and potential societal or economic impact.

In particular, the following categories may be subject to the NIS 2 framework:

  • Digital Service Providers: Including online gambling platforms offering services such as online marketplaces or social networking functions.
  • Managed Service Providers: Entities offering IT services – such as cloud computing, data centers, or cybersecurity solutions – supporting gambling operators.

Consequently, gambling operators and their suppliers must promptly assess their eligibility under the Directive and initiate the requisite compliance activities.

 

Italy’s Implementation – Legislative Decree No. 138/2024

Italy is among the very few countries that transposed the NIS 2 Directive into national legislation via Legislative Decree No. 138, effective from 18 October 2024. The Decree broadens the scope of cybersecurity obligations and introduces a structured timeline for compliance:

  • 1 January – 28 February 2025: Entities identified under Article 3 were required to register on the designated national platform.
  • 31 March 2025: The Italian National Cybersecurity Agency (ACN) compiled the list of subject entities.
  • 15 April 2025: ACN notified entities regarding their inclusion or exclusion from the list.

Entities that meet the criteria by 31 December 2025 are granted transitional deadlines:

  • Within 9 months: Compliance with incident notification obligations.
  • Within 18 months: Compliance with training, governance, and risk management measures.

Further information is available in our in-depth analysis: [NIS 2 in Italy – Deadlines and Obligations].

 

Malta’s Approach – Legal Notice 71 of 2025

Malta, a jurisdiction of establishment for several gambling operators, enacted Legal Notice 71 of 2025, titled “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025”. Published on 8 March 2025, the Notice repeals the previous NIS 1 regime and establishes a more rigorous compliance framework.

 

Key Provisions Include:
  • Self-Registration: Entities must self-register through a mechanism managed by the Critical Infrastructure Protection Department (CIPD).
  • Regulatory Oversight: The CIPD acts as the designated competent authority, empowered to oversee compliance, conduct audits, and impose administrative sanctions.
  • Incident Coordination: Malta’s Computer Security Incident Response Team (CSIRT) plays a central role in response coordination and vulnerability disclosure.
  • Coordinated Vulnerability Disclosure (CVD): A formal mechanism allows entities to report vulnerabilities in ICT products or services, with CSIRT acting as the national coordinator.

 

Core Obligations Under NIS 2 for gambling operators and suppliers

Entities identified under NIS 2 must implement a wide range of cybersecurity controls, including:

  • Cybersecurity Risk Management: Adoption of adequate technical and organizational measures encompassing risk analysis, incident management, business continuity, and supply chain resilience.
  • Incident Reporting: Mandatory reporting of significant incidents to the national CSIRT within 24 hours of identification, followed by a detailed report within 72 hours and a final report within one month.
  • Governance and Accountability: Management bodies bear responsibility for approving and overseeing cybersecurity strategies. They must undergo regular training and may be held personally liable for compliance failures.
  • Supply Chain Security: Entities must assess and monitor cybersecurity risks originating from third-party service providers and ensure alignment with applicable standards.
  • Information Provision: Timely and complete provision of service-related information to national authorities is required, including designated points of contact and representative details.
  • Sanctions: Non-compliance may lead to fines of up to EUR10 million or 2% of total worldwide annual turnover, whichever is higher. Sanctions may vary by Member State.

 

How DLA Piper Can Assist

DLA Piper provides end-to-end support to gambling sector stakeholders in fulfilling their NIS 2 compliance duties:

  • Scope Assessment: Identification of whether the organization qualifies as an “essential” or “important” entity under NIS 2.
  • Registration Support: Guidance throughout national self-registration and documentation processes.
  • Cybersecurity Frameworks: Development and implementation of tailored cybersecurity measures aligned with legal requirements.
  • Incident Response Plans: Structuring effective response strategies to meet reporting and remediation obligations.
  • Training and Capacity Building: Delivery of executive and team-level training to enhance awareness and accountability.
  • Regulatory Advisory: Ongoing legal support to navigate evolving cybersecurity regulations and mitigate legal risk.

The introduction of the NIS 2 Directive signifies a paradigm shift in the European cybersecurity regulatory landscape. For gambling operators and their suppliers, a proactive and structured compliance strategy is not merely advisable, it is essential. DLA Piper is fully equipped to support your organization in interpreting and implementing NIS 2 obligations.

For further information, please feel free to reach out. Read more about Gambling legal issues across the globe in our updated Gambling Laws of the World Guide here.

Print

Related capabilities

Media, Sport and Entertainment
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper