Kyanite Blue
FAQ

MGA Cybersecurity Requirements: 20 Frequently Asked Questions Answered

The MGA's cybersecurity requirements are detailed, evolving, and consequential. Non-compliance risks licence suspension. These are the 20 questions operators ask most frequently — answered clearly, without jargon.

MGA can suspend or revoke a licence for sustained non-compliance with security requirements.

Licensing and Compliance Questions

  • Q: Is cybersecurity a licence condition? A: Yes. The MGA Gaming Authorisations Regulations require documented security programmes as a condition of licence.
  • Q: What happens if I fail an MGA security audit? A: Licence conditions may be imposed requiring specific remediation steps. Sustained non-compliance risks suspension.
  • Q: How often does the MGA audit cybersecurity? A: The MGA can audit at any time and conducts planned reviews as part of licence renewals.

Technical Requirement Questions

  • Q: Is penetration testing mandatory? A: Yes. Independent penetration testing is required. "Independent" means not conducted by internal staff.
  • Q: How often must pen tests be conducted? A: At minimum annually, and after significant system changes. Continuous testing (Hadrian) exceeds this requirement.
  • Q: Is ISO 27001 certification required? A: An ISO 27001-aligned programme is required. Actual certification is not mandatory but demonstrates compliance clearly.
  • Q: What is the MGA's position on DORA? A: The MGA aligns with DORA requirements for all EU-regulated operators and expects all licensees to implement DORA-aligned ICT risk management.

Frequently Asked Questions

Where can I find the MGA's official cybersecurity requirements?

The MGA publishes its cybersecurity requirements in the Gaming Authorisations Regulations and associated technical standards. The MGA website (mga.org.mt) contains the current regulatory framework.

Does using a white-label platform mean my platform provider's security covers me?

No. Your licence is personal to your company. Your security obligations exist regardless of what your platform provider has certified. The MGA will audit your controls, not your vendor's.

What security evidence does the MGA want at licence renewal?

Typically: current information security policy, recent penetration test report (executive summary), risk register, incident log (12 months), third-party ICT vendor register, and evidence of staff security training.

Get a compliance assessment before your next MGA audit

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides