If you run or host an online casino, sportsbook, or iGaming platform serving European players, two EU laws now define whether your infrastructure is legally defensible: the GDPR and the NIS2 Directive. They are not optional add-ons to a licensing checklist. GDPR and NIS2 compliance for casino hosting means your data centre, cloud provider, and application architecture all have to satisfy data protection law and cybersecurity risk-management law at the same time — and the two frameworks don’t always pull in the same direction.
Most operators discover this the hard way: a GDPR data-retention policy that says “delete what you don’t need” collides with a NIS2 logging requirement that says “keep evidence for forensics.” This guide breaks down exactly where GDPR and NIS2 apply to casino hosting, who is actually in scope (the operator, the hosting provider, or both), what technical controls satisfy both regulators, and how Gart’s compliance and infrastructure engineering practice helps gaming platforms get audit-ready without slowing down releases.

Why GDPR and NIS2 Both Govern Casino Hosting
Online casino and sportsbook platforms sit at the intersection of two regulatory concerns that European lawmakers deliberately separated into two directives: protecting the personal data of individuals (GDPR) and protecting the network and information systems that critical digital services depend on (NIS2). A casino platform processes both — KYC documents, payment details, gameplay and betting history, and responsible-gambling behavioural data — on infrastructure that, by its nature as always-on, real-money, high-availability digital infrastructure, looks a lot like the kind of service NIS2 was written to protect.
The practical result is that a casino hosting stack is rarely evaluated against just one framework. Regulators, payment processors, and licensing bodies increasingly expect operators to demonstrate both data protection compliance and cybersecurity risk management maturity, and to be able to prove it with evidence, not policy documents.
🎯 The key distinction operators miss
GDPR protects people — it applies the moment you process the personal data of anyone in the EU, regardless of your size or sector. NIS2 protects infrastructure — it applies based on your sector, size, and role in the digital supply chain. A small casino operator might not trigger NIS2 directly, but the cloud provider, data centre, or content delivery network hosting that casino almost certainly does, because cloud computing, data centre, and CDN services are named explicitly in NIS2 Annex I as “digital infrastructure.”
Does NIS2 Apply to Online Casinos? Scope for Operators and Hosting Providers
The NIS2 Directive (EU) 2022/2555 does not list “gambling” or “gaming” as one of its named sectors in Annex I or Annex II. That leads a lot of operators to conclude, incorrectly, that NIS2 doesn’t concern them. In practice, casino and iGaming businesses are pulled into scope through two separate paths.
Path 1: The casino operator as a digital service provider
If your platform functions as an online marketplace, offers social or community features, or otherwise resembles the “digital provider” categories in NIS2 Annex II, you may be classified as an important entity in your own right, subject to the size thresholds (roughly 50+ employees or €10M+ turnover for medium enterprises, 250+ employees or €50M+ turnover for large ones).
Path 2: Your hosting provider as critical digital infrastructure
This is the path that matters for almost every casino platform, regardless of size. NIS2 Annex I explicitly names cloud computing service providers, data centre service providers, and content delivery network providers as “digital infrastructure” — a highly critical sector subject to the strictest obligations. If your casino platform runs on a qualifying EU cloud or data centre provider, that provider is contractually and legally obligated to run NIS2-grade risk management, incident reporting, and supply-chain security — and those obligations flow down to you through the hosting agreement, whether or not your own company is separately in scope.
Several EU member states have already transposed NIS2 into national law with gambling-specific relevance. Italy’s Legislative Decree No. 138/2024 (effective 18 October 2024) expanded cybersecurity obligations with a structured registration and compliance timeline. Malta — home to a large share of EU-licensed gambling operators — enacted Legal Notice 71 of 2025, replacing its previous NIS1 regime with self-registration through the Critical Infrastructure Protection Department and a dedicated national CSIRT. As DLA Piper’s analysis of NIS2 and gambling puts it, gambling operators and their suppliers “must promptly assess their eligibility under the Directive” rather than assume the absence of an explicit sector listing means the absence of obligations.
📋 What this means in practice
Before you can answer “are we NIS2 compliant,” you need a scoping exercise across three questions:
(1) does our own platform meet an Annex II digital-provider definition,
(2) is our hosting/cloud/CDN provider an Annex I essential entity, and
(3) does our national gambling regulator layer additional cybersecurity conditions onto our licence, independent of NIS2 itself. Gart’s infrastructure assessment is typically where this scoping starts.
GDPR Requirements for Casino and iGaming Platforms
Unlike NIS2, there’s no ambiguity about GDPR’s applicability: if your platform processes the personal data of anyone in the EU — players, affiliates, employees — GDPR applies, regardless of where your company or servers are based. For casino hosting specifically, four requirements come up repeatedly in regulatory guidance and enforcement actions.
A Data Protection Officer is effectively mandatory
Gambling operators typically carry out large-scale, systematic monitoring of individuals (fraud detection, responsible-gambling monitoring, behavioural profiling) and process special-category data for anti-money-laundering purposes. Both conditions independently trigger the GDPR Article 37 requirement to appoint a Data Protection Officer.
DPIAs for profiling and AML/CFT processing
Two categories of processing that are core to how casino platforms operate require a Data Protection Impact Assessment as a matter of course: systems that identify excessive or at-risk gambling behaviour, and systems that support anti-money-laundering and counter-terrorist-financing (AML/CFT) checks. Both involve profiling with potentially significant effects on the individual — precisely the trigger GDPR Article 35 is built around.
Consent, cookies, and marketing
GDPR Article 7 requires that consent for gambling marketing — emails, SMS, targeted advertising, retargeting pixels — be freely given, specific, informed, and as easy to withdraw as it was to give. Cookie consent banners that pre-tick marketing categories, or that make declining harder to find than accepting, are a recurring enforcement target across EU data protection authorities.
Data residency and international transfers
Many casino platforms run analytics, fraud-scoring, or customer-support tooling on US-based SaaS vendors. Since the invalidation of Privacy Shield (Schrems II), transfers of EU player data to the US require Standard Contractual Clauses plus a documented transfer impact assessment — not just a checkbox in a vendor’s terms of service. This is one of the more concrete reasons operators are re-evaluating EU-based hosting and digital sovereignty rather than defaulting to US hyperscalers.
France’s gambling regulator (ANJ) and data protection authority (CNIL) jointly published a 59-page GDPR compliance guide for licensed gambling operators in May 2026, addressing exactly this intersection of licensing obligations and data protection law — a strong signal that regulators are converging on sector-specific GDPR guidance rather than leaving operators to interpret general-purpose text.
Where GDPR and NIS2 Overlap — and Where They Pull Apart
The two frameworks reinforce each other on security fundamentals — encryption, access control, incident response — but they diverge sharply on data retention, and that divergence is exactly where casino hosting architectures get into trouble.
| Dimension | GDPR position | NIS2 position |
|---|---|---|
| Data retention | Storage limitation principle — keep personal data only as long as necessary for the stated purpose | Encourages retaining logs, audit trails, and forensic evidence long enough to detect and investigate incidents |
| Primary objective | Protect the rights and freedoms of individuals whose data is processed | Protect the availability, integrity, and confidentiality of network and information systems |
| Who it applies to | Any controller/processor handling EU personal data, regardless of sector | Entities in named sectors (Annex I/II) above size thresholds — including hosting/cloud/CDN providers |
| Breach/incident reporting | 72 hours to the supervisory authority; affected individuals notified if high risk | 24-hour early warning, 72-hour detailed report, final report within one month to the national CSIRT |
| Governance | Data Protection Officer oversight; accountability principle (Article 5(2)) | Management-body approval and oversight of cybersecurity measures; personal liability for gross negligence |
The practical fix is architectural, not political: separate personal data from security telemetry at the schema level. Audit logs, IDS/IPS alerts, and access logs used for NIS2 incident forensics should be pseudonymised and retained under a security-specific retention schedule, distinct from the player-data retention schedule your GDPR Record of Processing Activities defines. Trying to run one retention policy for both purposes is the single most common source of audit friction Gart sees in iGaming infrastructure reviews.
Choosing GDPR- and NIS2-Ready Hosting Infrastructure
Where you host a casino platform is no longer a pure cost-and-latency decision — it’s a compliance decision with legal consequences. Three factors determine whether a hosting environment actually helps you meet GDPR and NIS2 obligations, or quietly works against you.
EU data residency and sub-processor transparency
Hosting player data on EU soil, with an EU-based cloud provider that publishes a complete, current sub-processor list, removes an entire category of GDPR international-transfer risk. Operators are increasingly comparing providers like Hetzner and IONOS specifically on data-sovereignty grounds — see Gart’s Hetzner vs. IONOS comparison for how these EU-native providers differ on compliance-relevant criteria like data centre location, certification scope, and contractual DPAs.
Provider-level NIS2 posture
Ask any hosting or cloud provider directly: are you classified as an essential entity under NIS2 in your jurisdiction of establishment, and can you share your incident-reporting SLAs and supply-chain security attestations? A provider that can’t answer this clearly is a supply-chain risk you’re inheriting without visibility into it — and NIS2 explicitly makes supply-chain security a first-class obligation for entities in scope.
Architecture that supports both regimes at once
Network segmentation that isolates wallet, KYC, and payment services from public-facing game clients serves GDPR’s data-minimization-by-design principle and NIS2’s risk-management requirements simultaneously — a single architectural decision satisfying two regulators. Gart’s DevOps practices for iGaming, casinos, and sports betting platforms cover this kind of compliance-aware Kubernetes and network design in more depth.
Technical Controls That Satisfy Both Regulations
Rather than building two parallel compliance programs, most of the technical work overlaps. The table below maps common infrastructure controls to the specific GDPR and NIS2 obligations they help satisfy.
| Control | Satisfies GDPR by… | Satisfies NIS2 by… |
|---|---|---|
| Encryption at rest and in transit | Meeting Article 32 “appropriate technical measures” for security of processing | Meeting the baseline cryptography requirement under Article 21 risk-management measures |
| Role-based access control (RBAC) | Enforcing data minimization and the “need to know” principle for staff access to player data | Supporting access-control policy requirements under Article 21(2)(i) |
| Immutable audit logging | Demonstrating accountability (Article 5(2)) — who accessed what data, when | Providing the forensic evidence trail required for incident investigation and reporting |
| Network segmentation / Kubernetes NetworkPolicy | Reducing the blast radius of a breach involving payment or KYC data | Limiting lateral movement — a named risk-management measure under Article 21 |
| Vulnerability management & patching cadence | Preventing the kind of unpatched-system breach that triggers Article 33 notification | Meeting the explicit vulnerability-handling requirement in Article 21(2)(e) |
| Vendor / sub-processor due diligence | Satisfying Article 28 processor obligations and transfer impact assessments | Meeting the supply-chain security requirement in Article 21(2)(d) |
| Automated compliance-as-code (OPA/Gatekeeper) | Preventing configuration drift that could expose personal data by accident | Providing continuous evidence of risk-management measures for audits |
Incident Response and Breach Notification Timelines
One of the most common operational failures Gart sees during compliance reviews isn’t a missing control it’s a missing playbook that tells the on-call engineer which clock is ticking. GDPR and NIS2 run on different notification timelines, to different authorities, and a casino platform breach can trigger both at once.
| Milestone | GDPR (Article 33/34) | NIS2 (Article 23) |
|---|---|---|
| Who you notify | National data protection supervisory authority; affected individuals if high risk | National CSIRT or competent cybersecurity authority |
| First notification | Without undue delay, within 72 hours of becoming aware | Early warning within 24 hours of becoming aware |
| Detailed report | Included in the initial 72-hour notification (nature, scope, likely consequences) | Incident notification within 72 hours, updating the initial assessment |
| Final report | Not separately mandated, but documentation must be maintained under Article 33(5) | Final report within one month of the incident notification |
| Trigger threshold | A breach likely to result in a risk to individuals’ rights and freedoms | An incident with a “significant impact” on service provision |
Building one incident response runbook that maps a single security event to both timelines — rather than maintaining separate GDPR and NIS2 procedures that different teams own — is the difference between a controlled disclosure and a missed deadline discovered during an audit.
Penalties, Enforcement, and Personal Liability
The financial exposure under both regimes is large enough to change board-level risk appetite, and neither framework limits itself to fining the company.
- GDPR: up to €20 million or 4% of total worldwide annual turnover for the most serious infringements — unlawful processing, breach of data subject rights, or unauthorized international transfers — whichever amount is higher.
- NIS2 essential entities (including in-scope cloud, data centre, and CDN providers): up to €10 million or 2% of global annual turnover, whichever is higher.
- NIS2 important entities: up to €7 million or 1.4% of global annual turnover, whichever is higher, with fines doubling for a repeat offence within three years.
NIS2 also introduces something GDPR enforcement rarely reaches for in practice: personal liability. Article 32(6) empowers national authorities to hold management bodies accountable for gross negligence, including administrative fines against individual executives and, for essential entities, temporary bans from management functions. Combined with the ENISA guidance on NIS2 implementation, this makes cybersecurity governance a board-level obligation, not a delegated IT function — a shift that gambling operators, with their traditionally licensing-focused compliance functions, are still adjusting to.
⚖️ Licence risk compounds financial risk
For a casino platform, a GDPR or NIS2 enforcement action rarely stays contained to the fine itself. Regulators such as the Malta Gaming Authority can treat a data protection or cybersecurity failure as evidence of inadequate operational controls under the gaming licence itself — turning a compliance fine into a licence review.
Compliance Checklist for Casino Hosting
| Area | Action | Priority |
|---|---|---|
| Scoping | Determine whether your platform and/or your hosting provider fall under NIS2 Annex I or II | 🔴 Critical |
| GDPR governance | Appoint a DPO and complete DPIAs for problem-gambling detection and AML/CFT profiling | 🔴 Critical |
| Hosting | Confirm EU data residency and request your provider’s NIS2 classification and sub-processor list | 🔴 Critical |
| Incident response | Build one runbook covering both the GDPR 72-hour and NIS2 24/72-hour/1-month timelines | 🔴 Critical |
| Architecture | Segment wallet, KYC, and payment services from public-facing game clients | 🟠 High |
| Data lifecycle | Separate personal-data retention schedules from security-log retention schedules | 🟠 High |
| Consent management | Audit cookie banners and marketing consent flows for pre-ticked boxes or dark patterns | 🟠 High |
| Supply chain | Extend NIS2 supply-chain security assessments to payment, KYC, and analytics vendors | 🟡 Medium |
| Governance | Brief the management body on NIS2 personal-liability exposure and require sign-off on the risk register | 🟡 Medium |
Case Study: Regulatory-Ready Infrastructure for a Sportsbook Platform
One of Gart’s iGaming engagements involved migrating a US-facing sportsbook to AWS while meeting state-by-state data residency rules — a compliance problem with the same shape as GDPR/NIS2 data-residency requirements in the EU. The team designed a multi-region architecture with jurisdiction-specific VPCs and data controls enforced through Service Control Policies, paired with an Infrastructure-as-Code approach covering 100% of production resources, so every environment change was auditable by design rather than by afterthought.
Results: deployment time dropped from 4 hours to 22 minutes, feature delivery sped up by 60%, and the platform improved performance by 30–40% — all while making regulatory infrastructure reviews a matter of pulling Terraform state and Git history, not reconstructing what changed from memory.
Read the full case study: AWS Migration & Infrastructure Localization for Sportsbook Platform
Need casino hosting that passes a GDPR and NIS2 audit — not just a licensing check?
Gart designs and operates infrastructure for casino, sportsbook, and iGaming platforms with data protection and cybersecurity risk management built in from the architecture up — EU data residency, segmented environments, immutable audit trails, and incident-response runbooks that satisfy both regulators.
You might also like
- Strengthen Your Information Security with NIS2 Compliance Solutions
- Digital Sovereignty of Europe: Choosing the EU Cloud Provider
- DevOps Practices in iGaming, Casinos, and Sports Betting Companies
- What Is DevSecOps? Integrating Security into Your DevOps Pipeline
- Free NIS2 Compliance Checklist (PDF Guide)


