Newsletter 58

15 Jan 2025

Updated certification programme for betting and online casino

The Danish Gambling Authority has updated the certification programme for betting and online casino because of the introduction of supplier licences from 1st of January 2025.
The updated certification programme for betting and online casino came into force on January 1 2025, and is mandatory to use from July 1 2025. This means there is a 6 months transition period, where both versions of the certification programme can be used.

Responsible for certifications

The purpose with the update is to make it more clear, which requirements licence holders and game suppliers respectively shall comply with looking forward.
Based on this one of the most significant changesis, that looking forward game suppliers are responsible for their own certifications. This means that licence holders and game suppliers each are responsible for having their own certifications completed and have them submitted to the Danish Gambling Authority.
Since game suppliers looking forward have their own licence and their own responsibility for certifications, the licence holder’s former obligation to compilate reports from their game suppliers has ended. The obligation to compilate ends on January 1 2025, no matter which version of the certification programme is used.

Issuing certification reports

Certification reports must be issued to the company, who holds the licence for either offering games or as a game supplier. The reason for this is, that each licence holder and game supplier have a independent responsibility towards the Danish Gambling Authority, why it must be clear, that the certification covers the licence holder / Game supplier in question.
If completed certification work, which at the same time covers e.g. 2 companies, who both have a game supplier licence, then 2 reports must be issued – one in the name of each company. The same applies, if we are dealing with certification work, which at the same time covers 1 company, who has a licence to offer games and 1 company, who has a game supplier licence.

Overview of the updated certification programme
Overblik over certificeringsprogrammets dokumenter

* There are 3 versions of requirements for games - One for online betting, one for land-based betting and one for online casino.
** When licence holders submit certification reports they must select the category “Certification – Licence holder” in the contact form on the Danish Gambling Authority’s website. Game suppliers must select the category “Certification – Game supplier”.

Other changes

  1. In SCP.00.00 ‘General requirements’ the following new definitions have been added: ‘Licence holder’, ‘game supplier’, ‘base platform’, ‘game platform’ and ‘game certificate’. Furthermore, the definition ‘Testing’ has been renamed to ‘Test’ and rephrased, and the definitions ‘inspection’ and ‘gambling system’ have been rephrased.
  2. The following new documents have been added:
    1. SCP.01.00 ‘Requriments for RNG’ is based on requirements from the previous testing standards. The document only contains requirements for RNG. The rest of the requirements from the testing standards are moved to SCP.07.01-03 ‘Requirements for games’. See further information about SCP.07 below.
    2. SCP.02.00 ‘Requirements for base platform’ is based on requirements from the previous inspection standards. The document only contains requirements for the base platform, which primarily covers handling of the player account. The rest of the requirements from the inspection standards are moved to SCP.07.01-03 ‘Requirements for games’. 
      1. It is only the licence holder who shall be certified in accordance with the requirements in SCP.02.00 and submit documentation for this certification. This also applies in a situation where the licence holder’s base platform is entirely or partially supplied by a supplier.
    3. SCP.07.01-03 ‘Requirements for games’ are 3 new documents based on requirements from the previous testing- and inspection standards. The documents only contain requirements for games for online betting (SCP.07.01), land-based betting (SCP.07.02) and online casino (SCP.07.03) respectively. Game suppliers shall be certified in accordance with requirements in these documents. If a licence holder produces games for their own game offer, then the licence holder is also obligated to be certificed in accordance with these requirements.
  3. According to SCP.01.00 ‘Requirements for RNG’ it is possible to postpone the certification up to 1 month. This option is also added to the new documents SCP.07.01-03 ‘Requirements for games’. Postponing the certification means, that the certification can be completed 1 month later, but the certificate shall still be uploaded to the games register whitin the same deadline.
  4. A general change has been made to the role as superviser at the testing organisations. The superviser is, amongst other, responsible for signing the standard reports. Looking forward the requirements for a superviser is based on requirements for a superviser in e.g., ISO, PCI, or CREST (see section 2.3 in SCP.00.00 General requirements).
  5. In SCP.04.00 ‘Requirements for penetration testing’ the expectations to the testing organisation’s personnel in relation to experience and personal certifications are moved from the superviser to the personnel, who performs the penetration test, because it is essential for the quality of the penetration test, that the personnel possess the necessary qualifications. The testing organisation shall therefor, like for any other certification area, hire and educate sufficiently qualified, competent, and experienced personnel.
  6. In SCP.04.00 ‘Requirements for penetration testing’ CREST accreditation is added as a recognized accreditation for companies, who perform penetration testing (see section 2.2.1).
  7. In SCP.05.00 ‘ Requirements for vulnerability scanning’ CREST accreditation is added as a recognized accreditation for companies, who perform vulnerability scans (see section 2.2.1). Furthermore, CREST CPSA and CRT certifications are added as recognized personal certifications for personnel, who plans vulnerability scans (see section 2.2.2).
  8. In SCP.06.00 ‘Change management system’ section 4.3 about the process for approval of system changes has been changed. Since game suppliers will have their own licence looking forward, and thereby have the responsibility for their certifications themselves, they shall no longer seek approval from the licence holder ahead of making a system change. The game supplier must still be aware of situations, where it can be necessary to involve the licence holder and reverse.
  9. In SCP.06.00 ‘Change management programme’ a new section with a requirement about system changes, which include integration between the base- and game platform, has been added. The requirement means, that the licence holder and game supplier shall establish a business process which ensures, that the base- and game platform functions correctly after integration. The DGA do not think, that this requirement will entail further burdens on the licence holder and game supplier, since it must be expected that measures have already been taken today to ensure, that the gambling system functions correctly. The business process shall be approved by the testing organisation in connection with the annual ceritification of SCP.06.00.
  10. A consequnce of the update is, that the certification programme for betting and online casino no longer has the same structure as the certification programme for lotteries and land-based casino.