DORA and iGaming: 15 Questions Operators Are Asking About Compliance
DORA came into force on January 17, 2025. Most iGaming operators have questions, not answers. These 15 questions cover the practical compliance reality for MGA-licensed operators — without the legal boilerplate.
DORA is now in force. MGA enforcement of DORA-aligned requirements has begun.
DORA Scope and Applicability
- Q: Does DORA apply to iGaming companies? A: Yes — MGA-licensed operators and their critical ICT providers are expected to comply with DORA principles.
- Q: What is a "critical ICT third-party provider" under DORA? A: Any ICT provider whose service failure would materially impact your ability to provide regulated gaming services.
- Q: Does DORA have proportionality provisions? A: Yes. Smaller operators face lighter requirements. But incident reporting and third-party risk management obligations apply broadly.
DORA Third-Party Requirements
- Q: What contractual provisions does DORA require with ICT vendors? A: Security obligations, audit rights, incident notification SLAs, business continuity requirements, and exit strategy provisions.
- Q: Do we need to notify the MGA when a vendor has a breach? A: If the vendor breach constitutes a "major ICT incident" affecting your regulated services — yes, under the DORA incident reporting requirements.
- Q: How many vendors need to be in our ICT register? A: All critical ICT providers — typically 15–40 for a mid-size operator.
Frequently Asked Questions
What is the penalty for DORA non-compliance?
MGA can impose conditions, fines, or licence suspension for non-compliance with DORA-aligned requirements. For ICT third-party providers directly subject to DORA, competent authorities can impose fines of up to 1% of average daily global turnover for each day of non-compliance.
How does Panorays help with DORA compliance?
Panorays automates the third-party ICT risk management DORA requires — continuous monitoring, risk rating, and audit trail generation for all vendors in your register. It also manages the questionnaire workflow for gathering DORA-required contractual evidence.
What is the DORA incident reporting timeline?
For major ICT incidents: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within 1 month. The definition of "major" is based on the number of users affected, downtime duration, and data exposure.
Get DORA-compliant with a structured programme
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.