Kyanite Blue
Compliance & Regulation

UKGC RTS Security Requirements: A Plain-English Breakdown for Operators

The UK Gambling Commission's Remote Gambling and Software Technical Standards (RTS) Section 4 sets out specific security requirements for all UKGC-licensed operators. With the Commission increasingly focused on compliance enforcement and the RTS updated in January 2025, operators need to understand exactly what's required.

UKGC can revoke licences for persistent security non-compliance.

RTS Section 4: Core Security Requirements

RTS Section 4 requires UKGC-licensed operators to have a comprehensive information security programme covering:

  • An annual third-party security audit conducted against recognised standards (ISO 27001 accepted)
  • Audit report submitted to the Commission within 7 days if requested
  • Major non-conformities proactively reported to the UKGC
  • PCI DSS compliance for all payment card processing
  • Certified RNG for all games of chance
  • Fraud detection and prevention controls
  • Protection of customer funds and prevention of theft
  • Business continuity and disaster recovery planning

How ISO 27001 Satisfies UKGC Audit Requirements

Like the MGA, the UKGC accepts a current ISO 27001 certificate from an accredited certification body as evidence of compliance with RTS Section 4 security audit requirements. Operators who hold dual MGA and UKGC licences — the most common combination for international operators — can use a single ISO 27001 certification to satisfy both regulators' audit requirements.

Frequently Asked Questions

How often must we conduct a UKGC security audit?

Annually as a minimum. The UKGC can request your audit report at any time, so the report must always be current and available.

What happens if we fail the UKGC RTS security audit?

Major non-conformities must be reported to the UKGC proactively. The Commission may require remediation plans, conduct investigations, impose licence conditions, or in serious cases suspend or revoke the licence.

Do UKGC requirements differ from MGA requirements?

They are substantially similar — both align with ISO 27001 and PCI DSS. Operators holding both licences can implement a single security programme that satisfies both.

Get help preparing your UKGC security audit

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Hadrian

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides