Kyanite Blue
Practical Guides

DORA Compliance Guide for iGaming Operators: What You Must Do by January 2025

DORA — the EU Digital Operational Resilience Act — entered into force on January 17, 2025. MGA-licensed operators whose parent entities are in EU jurisdictions are directly in scope. Those who operate in Malta as their primary licensing jurisdiction face MGA enforcement of DORA-aligned requirements. This is not a future problem. It is a present one.

DORA entered into force January 17, 2025. MGA enforcement is already underway.

The Five DORA Pillars and What They Require

  • 1. ICT Risk Management: formal ICT risk management framework, board oversight, annual review
  • 2. ICT Incident Classification and Reporting: classify major incidents, report to MGA within 4 hours of classification, follow-up report within 72 hours
  • 3. Digital Operational Resilience Testing: annual threat-led pen testing for significant operators; Hadrian continuous testing satisfies this requirement
  • 4. Third-Party ICT Risk Management: register of all ICT providers, risk classification, contractual security obligations, exit strategies for critical providers
  • 5. Information Sharing: participation in threat intelligence sharing frameworks (optional but encouraged)

Third-Party Risk: The Hardest Part of DORA

DORA requires you to maintain a register of all third-party ICT providers, classify them by criticality, assess their security posture, and have contractual provisions covering resilience, audit rights, and exit strategies. For most iGaming operators, this means 15–40 vendors need formal risk assessments. Panorays automates this — turning a manual 6-month project into a continuous process.

Frequently Asked Questions

Does DORA apply to small iGaming operators?

DORA has proportionality provisions — smaller operators face lighter requirements. But the MGA has made clear that DORA principles are expected across all licensed operators regardless of size. The third-party risk management and incident reporting requirements apply broadly.

What is a "critical ICT third-party provider" under DORA?

ICT providers whose disruption would significantly impact your ability to provide regulated services. For iGaming, this typically includes your PAM provider, payment processors, cloud infrastructure provider, and any other vendor whose failure would prevent you from operating.

Get DORA-compliant with our third-party risk programme

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides