Notification of certification programme version 2.0
On the 25th of January 2022, the Danish Gambling Authority (DGA) sent the updated version of the certification programme for online betting, land based betting and online casino to notification at the EU Commission. Until the new certification programme enters into force on 1 January 2023, there is a transition period in which you can choose to follow either the current or the updated certification programme.
Below, you can read about the transition period, the general changes across the certification programme and get an overview of the most significant changes made in the various documents.
The notification and the documents can be found in the EU Commission’s database, TRIS.
The documents are subject to any changes necessary to make based on the notification process.
Immediately after the end of the stand still process in connection with the notification on 26 April 2022, the updated documents will be uploaded to the DGA’s website, so they are available during the transition period until 1 January 2023, where v2.0 comes into force.
Please notice that because of the transition from NemID to MitID, requirement 3.2.3.1 of the inspection standards for online betting and online casino will be replaced, when the final requirements of the executive orders are ready.
Transition period 2022/2023
- From 1 January 2023, all tests, inspections, scans etc. shall be performed in accordance with v2.0 of the certification programme. Test and inspections etc. shall be performed by testing organisations with accreditations in accordance with v2.0.
- For the rest of 2022 there is freedom of choice between the current and the updated version of the certification programme.
- During 2022 test, inspections, scans etc. can be performed in accordance with the current version of the certification programme by testing organisations with the current accreditations or accreditations cf. v2.0.
- If test, inspections, scans etc. are performed in accordance with v2.0 the work obviously needs to be conducted by a testing organisation, who has accreditations in accordance with v2.0.
- The option to postpone the certification with two months on certain areas is also valid during the transition period. However, in this situation the DGA does not accept postponement across new year 2022/2023.
- We view each certification area separately. This means that we do not require that you “change” version of the certification programme in all areas at the same time. This means that you can use the updated requirements on vulnerability scans and penetration testing, but at the same time get an ISO17025 accredited testing organisation to do work in accordance with the current versions of the testing- and inspection standards (Please notice: In v2.0, ISO17025 cannot be used for inspection).
- After the end of the stand still period on 26 April 2022, licence holders are no longer required to send the quarterly reports on change management cf. document SCP.06.00.
Visualisation of the transition period
General changes
- Linguistic adjustments have been made and several guidance texts have been added / adjusted across the certification program.
- The deadline for submitting documentation for completed certifications has been clarified directly in the certification programme.
- Significant changes have been made to the requirements for the testing organisations who carry out testing and inspection etc. of the licence holder’s gambling and business systems. The changes made in this area are illustrated below.
Requirements for testing organisations
Current requirements
- Testing standards: ISO 17020 or ISO 17025
- Inspection standards: ISO 17020 or ISO 17025
- Information security management system: ISO 17020 or ISO 17025
- Penetration testing: ISO 17020 or ISO 17025 + PCI/ASV-approval
- Vulnerability scanning: ISO 17020 or ISO 17025 + PCI/ASV-approval
- Change management programme: ISO 17020 or ISO 17025
Future requirements
- Testing standards: ISO 17025 or ISO 17065
- Inspection standards: ISO 17020 or ISO 17065
- Information security management system: ISO 17021-1 or ISO 17065
- Penetration testing: ISO 17025, ISO 17065 or PCI/ASV-approval
- Vulnerability scanning: PCI/ASV-approval
- Change management programme: ISO 17021-1 or ISO 17065
Explanation of ISO accreditations
- ISO 17020: Requirements for the operation of various types of bodies performing inspection.
- ISO 17021-1: Requirements for bodies providing audit and certification of management systems.
- ISO 17025: General requirements for the competence of testing and calibration laboratories.
- ISO 17065: Requirements for bodies certifying products, processes and services.
The DGA has found it necessary to make the changes above, so ISO accreditations targeted the individual areas are used. Among other things, this means that ISO17020- and ISO17025 accreditations targeted inspection bodies and testing laboratories, respectively, and which have been used for all areas up until now, in the future only will be used in the areas targeted by the ISO accreditation.
Neither ISO17020 nor ISO17025 targets the assessment of management systems, which is why none of them are optimal to use in the areas “Information security management system” and “Change management programme”.
For vulnerability scanning, the DGA has chosen to still require an ASV-approval, since this is considered the leading standard within vulnerability scannings.
For penetration testing the quality of work is highly dependent on personal qualities. However, The DGA has assessed, that in addition to the personal qualifications, there is a need for the testing organisations to document that they, as a company, live up to certain standards. The testing organisations shall consequently have an ISO-17025, an ISO-17065 or an ASV-approval to be able to conduct penetration testing.
The DGA notices, that the new ISO accreditations brought into play in the update of the certification programme, should not be unknown to testing organisations operating in the gambling industry, since they are already in use in other jurisdictions.
The requirement stating that a testing organisation must have at least three years of experience is removed. This requirement prevented newly established testing organisations, among others, from performing certification work according to the certification programme. In relation to experience, the DGA is of the opinion that it is more important to consider the people involved in the actual work, and less important how many years a company has been in business. Therefore, we maintain the requirements regarding the employees’ experience.
Overview of significant changes
General requirements
- The requirements for reporting the certification have been specified.
- The requirements for supervising the certification work have been specified.
- It is specified in a new section, that the first certification shall be completed in connection with the licence application. At the same time, it is clarified, that to approve the first certification, it shall be completed without any errors or shortcomings.
- It has been specified, when and how risk assessment can be used to approve requirements.
Testing standards
- RNG requirements regarding result generating and RNG requirements regarding other functionality have been merged in one section.
- The requirements regarding the gambling system ensuring that it takes at least 3 seconds to complete a game have been moved from the inspection standards to the testing standards. (Online casino)
- Requirements regarding test of equipment used for live casino have been added. This covers for instance requirements for roulette, card shufflers and card shoes. (Online casino)
Inspection standards
- The structure in the document has changed, so main sections now appear in the following order:
- Written presentation,
- visual presentation,
- general gambling functionality and
- special gambling functionality.
- The requirement saying that the gambling system should store customers’ status in ROFUS has been removed. The DGA believes that licence holders as a rule should not store information about customers’ status in ROFUS after the information has been used for the purpose, for which it was collected.
- The title of the section on “Records, logs and data retention” has been changed to “Registration, maintenance and storage of data”, and the requirements in the section has been re-written to clarify what needs to be registered in which situations.
- The specific requirements on visual presentation of Blackjack and Baccarat/Punto Banco have been removed because they are already covered by general requirements for card games. (Online Casino)
- Addition of a new requirement for information on probability in connection with jackpots. (Online Casino)
- The requirements for online bingo have been moved to the section on peer-to-peer games to clarify, that this is the type of online bingo, that can be offered under an online casino licence. (Online Casino)
- Requirements regarding closure of bets before they are settled (cash out) have been added to the section on Special gambling functionality. (Betting)
Information Security Management System
- Clarification of which testing organisations can perform a potential ISO 27001 certification, which can replace the inspection in accordance with the DGA’s requirements for Information Security Management System.
Penetration testing
- In the Danish version “Indtrængningsefterprøvning” has been renamed to “penetrationstest” since this phrasing is more commonly used.
- It has been specified which procedure must be followed in relation to reporting and re-testing if a penetration test is not passed.
- The section on use of an internal function to perform penetration tests has been removed.
Vulnerability Scanning
- It has been clarified that vulnerability scans shall be PCI approved.
- It is clarified that the vulnerability scan, which is typically performed prior to a penetration test, can be considered a valid quarterly vulnerability scan if performed in accordance with the requirements.
- It has been specified which procedure must be followed in relation to reporting and re-scan if a vulnerability scan is not passed.
- The section on use of an internal function to perform vulnerability scans has been removed.
Change Management Programme
- The requirement for sending quarterly reports to the DGA has been removed. Please see the last item in the description of the transition period above.
- Detailed description of situations, where the DGA needs to give a prior approval of new and changed games have been removed. Looking forward only the general requirements for this will appear in the change management programme. The detailed description will appear in the technical requirements for online casinos and betting.