Cloud
IT Infrastructure
Migration

GDPR and NIS2 Compliance for Casino Hosting: The Complete Guide

GDPR and NIS2 compliance for casino hosting

If you run or host an online casino, sportsbook, or iGaming platform serving European players, two EU laws now define whether your infrastructure is legally defensible: the GDPR and the NIS2 Directive. They are not optional add-ons to a licensing checklist. GDPR and NIS2 compliance for casino hosting means your data centre, cloud provider, and application architecture all have to satisfy data protection law and cybersecurity risk-management law at the same time — and the two frameworks don’t always pull in the same direction.

Most operators discover this the hard way: a GDPR data-retention policy that says “delete what you don’t need” collides with a NIS2 logging requirement that says “keep evidence for forensics.” This guide breaks down exactly where GDPR and NIS2 apply to casino hosting, who is actually in scope (the operator, the hosting provider, or both), what technical controls satisfy both regulators, and how Gart’s compliance and infrastructure engineering practice helps gaming platforms get audit-ready without slowing down releases.

GDPR and NIS2 compliance statistics

Why GDPR and NIS2 Both Govern Casino Hosting

Online casino and sportsbook platforms sit at the intersection of two regulatory concerns that European lawmakers deliberately separated into two directives: protecting the personal data of individuals (GDPR) and protecting the network and information systems that critical digital services depend on (NIS2). A casino platform processes both — KYC documents, payment details, gameplay and betting history, and responsible-gambling behavioural data — on infrastructure that, by its nature as always-on, real-money, high-availability digital infrastructure, looks a lot like the kind of service NIS2 was written to protect.

The practical result is that a casino hosting stack is rarely evaluated against just one framework. Regulators, payment processors, and licensing bodies increasingly expect operators to demonstrate both data protection compliance and cybersecurity risk management maturity, and to be able to prove it with evidence, not policy documents.

🎯 The key distinction operators miss
GDPR protects people — it applies the moment you process the personal data of anyone in the EU, regardless of your size or sector. NIS2 protects infrastructure — it applies based on your sector, size, and role in the digital supply chain. A small casino operator might not trigger NIS2 directly, but the cloud provider, data centre, or content delivery network hosting that casino almost certainly does, because cloud computing, data centre, and CDN services are named explicitly in NIS2 Annex I as “digital infrastructure.”

Does NIS2 Apply to Online Casinos? Scope for Operators and Hosting Providers

The NIS2 Directive (EU) 2022/2555 does not list “gambling” or “gaming” as one of its named sectors in Annex I or Annex II. That leads a lot of operators to conclude, incorrectly, that NIS2 doesn’t concern them. In practice, casino and iGaming businesses are pulled into scope through two separate paths.

Path 1: The casino operator as a digital service provider

If your platform functions as an online marketplace, offers social or community features, or otherwise resembles the “digital provider” categories in NIS2 Annex II, you may be classified as an important entity in your own right, subject to the size thresholds (roughly 50+ employees or €10M+ turnover for medium enterprises, 250+ employees or €50M+ turnover for large ones).

Path 2: Your hosting provider as critical digital infrastructure

This is the path that matters for almost every casino platform, regardless of size. NIS2 Annex I explicitly names cloud computing service providers, data centre service providers, and content delivery network providers as “digital infrastructure” — a highly critical sector subject to the strictest obligations. If your casino platform runs on a qualifying EU cloud or data centre provider, that provider is contractually and legally obligated to run NIS2-grade risk management, incident reporting, and supply-chain security — and those obligations flow down to you through the hosting agreement, whether or not your own company is separately in scope.

Several EU member states have already transposed NIS2 into national law with gambling-specific relevance. Italy’s Legislative Decree No. 138/2024 (effective 18 October 2024) expanded cybersecurity obligations with a structured registration and compliance timeline. Malta — home to a large share of EU-licensed gambling operators — enacted Legal Notice 71 of 2025, replacing its previous NIS1 regime with self-registration through the Critical Infrastructure Protection Department and a dedicated national CSIRT. As DLA Piper’s analysis of NIS2 and gambling puts it, gambling operators and their suppliers “must promptly assess their eligibility under the Directive” rather than assume the absence of an explicit sector listing means the absence of obligations.

📋 What this means in practice
Before you can answer “are we NIS2 compliant,” you need a scoping exercise across three questions:

(1) does our own platform meet an Annex II digital-provider definition,
(2) is our hosting/cloud/CDN provider an Annex I essential entity, and
(3) does our national gambling regulator layer additional cybersecurity conditions onto our licence, independent of NIS2 itself. Gart’s infrastructure assessment is typically where this scoping starts.

GDPR Requirements for Casino and iGaming Platforms

Unlike NIS2, there’s no ambiguity about GDPR’s applicability: if your platform processes the personal data of anyone in the EU — players, affiliates, employees — GDPR applies, regardless of where your company or servers are based. For casino hosting specifically, four requirements come up repeatedly in regulatory guidance and enforcement actions.

A Data Protection Officer is effectively mandatory

Gambling operators typically carry out large-scale, systematic monitoring of individuals (fraud detection, responsible-gambling monitoring, behavioural profiling) and process special-category data for anti-money-laundering purposes. Both conditions independently trigger the GDPR Article 37 requirement to appoint a Data Protection Officer.

DPIAs for profiling and AML/CFT processing

Two categories of processing that are core to how casino platforms operate require a Data Protection Impact Assessment as a matter of course: systems that identify excessive or at-risk gambling behaviour, and systems that support anti-money-laundering and counter-terrorist-financing (AML/CFT) checks. Both involve profiling with potentially significant effects on the individual — precisely the trigger GDPR Article 35 is built around.

Consent, cookies, and marketing

GDPR Article 7 requires that consent for gambling marketing — emails, SMS, targeted advertising, retargeting pixels — be freely given, specific, informed, and as easy to withdraw as it was to give. Cookie consent banners that pre-tick marketing categories, or that make declining harder to find than accepting, are a recurring enforcement target across EU data protection authorities.

Data residency and international transfers

Many casino platforms run analytics, fraud-scoring, or customer-support tooling on US-based SaaS vendors. Since the invalidation of Privacy Shield (Schrems II), transfers of EU player data to the US require Standard Contractual Clauses plus a documented transfer impact assessment — not just a checkbox in a vendor’s terms of service. This is one of the more concrete reasons operators are re-evaluating EU-based hosting and digital sovereignty rather than defaulting to US hyperscalers.

France’s gambling regulator (ANJ) and data protection authority (CNIL) jointly published a 59-page GDPR compliance guide for licensed gambling operators in May 2026, addressing exactly this intersection of licensing obligations and data protection law — a strong signal that regulators are converging on sector-specific GDPR guidance rather than leaving operators to interpret general-purpose text.

Where GDPR and NIS2 Overlap — and Where They Pull Apart

The two frameworks reinforce each other on security fundamentals — encryption, access control, incident response — but they diverge sharply on data retention, and that divergence is exactly where casino hosting architectures get into trouble.

DimensionGDPR positionNIS2 position
Data retentionStorage limitation principle — keep personal data only as long as necessary for the stated purposeEncourages retaining logs, audit trails, and forensic evidence long enough to detect and investigate incidents
Primary objectiveProtect the rights and freedoms of individuals whose data is processedProtect the availability, integrity, and confidentiality of network and information systems
Who it applies toAny controller/processor handling EU personal data, regardless of sectorEntities in named sectors (Annex I/II) above size thresholds — including hosting/cloud/CDN providers
Breach/incident reporting72 hours to the supervisory authority; affected individuals notified if high risk24-hour early warning, 72-hour detailed report, final report within one month to the national CSIRT
GovernanceData Protection Officer oversight; accountability principle (Article 5(2))Management-body approval and oversight of cybersecurity measures; personal liability for gross negligence
Where GDPR and NIS2 Overlap — and Where They Pull Apart

The practical fix is architectural, not political: separate personal data from security telemetry at the schema level. Audit logs, IDS/IPS alerts, and access logs used for NIS2 incident forensics should be pseudonymised and retained under a security-specific retention schedule, distinct from the player-data retention schedule your GDPR Record of Processing Activities defines. Trying to run one retention policy for both purposes is the single most common source of audit friction Gart sees in iGaming infrastructure reviews.

Choosing GDPR- and NIS2-Ready Hosting Infrastructure

Where you host a casino platform is no longer a pure cost-and-latency decision — it’s a compliance decision with legal consequences. Three factors determine whether a hosting environment actually helps you meet GDPR and NIS2 obligations, or quietly works against you.

EU data residency and sub-processor transparency

Hosting player data on EU soil, with an EU-based cloud provider that publishes a complete, current sub-processor list, removes an entire category of GDPR international-transfer risk. Operators are increasingly comparing providers like Hetzner and IONOS specifically on data-sovereignty grounds — see Gart’s Hetzner vs. IONOS comparison for how these EU-native providers differ on compliance-relevant criteria like data centre location, certification scope, and contractual DPAs.

Provider-level NIS2 posture

Ask any hosting or cloud provider directly: are you classified as an essential entity under NIS2 in your jurisdiction of establishment, and can you share your incident-reporting SLAs and supply-chain security attestations? A provider that can’t answer this clearly is a supply-chain risk you’re inheriting without visibility into it — and NIS2 explicitly makes supply-chain security a first-class obligation for entities in scope.

Architecture that supports both regimes at once

Network segmentation that isolates wallet, KYC, and payment services from public-facing game clients serves GDPR’s data-minimization-by-design principle and NIS2’s risk-management requirements simultaneously — a single architectural decision satisfying two regulators. Gart’s DevOps practices for iGaming, casinos, and sports betting platforms cover this kind of compliance-aware Kubernetes and network design in more depth.

Technical Controls That Satisfy Both Regulations

Rather than building two parallel compliance programs, most of the technical work overlaps. The table below maps common infrastructure controls to the specific GDPR and NIS2 obligations they help satisfy.

ControlSatisfies GDPR by…Satisfies NIS2 by…
Encryption at rest and in transitMeeting Article 32 “appropriate technical measures” for security of processingMeeting the baseline cryptography requirement under Article 21 risk-management measures
Role-based access control (RBAC)Enforcing data minimization and the “need to know” principle for staff access to player dataSupporting access-control policy requirements under Article 21(2)(i)
Immutable audit loggingDemonstrating accountability (Article 5(2)) — who accessed what data, whenProviding the forensic evidence trail required for incident investigation and reporting
Network segmentation / Kubernetes NetworkPolicyReducing the blast radius of a breach involving payment or KYC dataLimiting lateral movement — a named risk-management measure under Article 21
Vulnerability management & patching cadencePreventing the kind of unpatched-system breach that triggers Article 33 notificationMeeting the explicit vulnerability-handling requirement in Article 21(2)(e)
Vendor / sub-processor due diligenceSatisfying Article 28 processor obligations and transfer impact assessmentsMeeting the supply-chain security requirement in Article 21(2)(d)
Automated compliance-as-code (OPA/Gatekeeper)Preventing configuration drift that could expose personal data by accidentProviding continuous evidence of risk-management measures for audits
Technical Controls That Satisfy Both Regulations

Incident Response and Breach Notification Timelines

One of the most common operational failures Gart sees during compliance reviews isn’t a missing control it’s a missing playbook that tells the on-call engineer which clock is ticking. GDPR and NIS2 run on different notification timelines, to different authorities, and a casino platform breach can trigger both at once.

MilestoneGDPR (Article 33/34)NIS2 (Article 23)
Who you notifyNational data protection supervisory authority; affected individuals if high riskNational CSIRT or competent cybersecurity authority
First notificationWithout undue delay, within 72 hours of becoming awareEarly warning within 24 hours of becoming aware
Detailed reportIncluded in the initial 72-hour notification (nature, scope, likely consequences)Incident notification within 72 hours, updating the initial assessment
Final reportNot separately mandated, but documentation must be maintained under Article 33(5)Final report within one month of the incident notification
Trigger thresholdA breach likely to result in a risk to individuals’ rights and freedomsAn incident with a “significant impact” on service provision
Incident Response and Breach Notification Timelines

Building one incident response runbook that maps a single security event to both timelines — rather than maintaining separate GDPR and NIS2 procedures that different teams own — is the difference between a controlled disclosure and a missed deadline discovered during an audit.

Penalties, Enforcement, and Personal Liability

The financial exposure under both regimes is large enough to change board-level risk appetite, and neither framework limits itself to fining the company.

  • GDPR: up to €20 million or 4% of total worldwide annual turnover for the most serious infringements — unlawful processing, breach of data subject rights, or unauthorized international transfers — whichever amount is higher.
  • NIS2 essential entities (including in-scope cloud, data centre, and CDN providers): up to €10 million or 2% of global annual turnover, whichever is higher.
  • NIS2 important entities: up to €7 million or 1.4% of global annual turnover, whichever is higher, with fines doubling for a repeat offence within three years.

NIS2 also introduces something GDPR enforcement rarely reaches for in practice: personal liability. Article 32(6) empowers national authorities to hold management bodies accountable for gross negligence, including administrative fines against individual executives and, for essential entities, temporary bans from management functions. Combined with the ENISA guidance on NIS2 implementation, this makes cybersecurity governance a board-level obligation, not a delegated IT function — a shift that gambling operators, with their traditionally licensing-focused compliance functions, are still adjusting to.

⚖️ Licence risk compounds financial risk
For a casino platform, a GDPR or NIS2 enforcement action rarely stays contained to the fine itself. Regulators such as the Malta Gaming Authority can treat a data protection or cybersecurity failure as evidence of inadequate operational controls under the gaming licence itself — turning a compliance fine into a licence review.

Compliance Checklist for Casino Hosting

AreaActionPriority
ScopingDetermine whether your platform and/or your hosting provider fall under NIS2 Annex I or II🔴 Critical
GDPR governanceAppoint a DPO and complete DPIAs for problem-gambling detection and AML/CFT profiling🔴 Critical
HostingConfirm EU data residency and request your provider’s NIS2 classification and sub-processor list🔴 Critical
Incident responseBuild one runbook covering both the GDPR 72-hour and NIS2 24/72-hour/1-month timelines🔴 Critical
ArchitectureSegment wallet, KYC, and payment services from public-facing game clients🟠 High
Data lifecycleSeparate personal-data retention schedules from security-log retention schedules🟠 High
Consent managementAudit cookie banners and marketing consent flows for pre-ticked boxes or dark patterns🟠 High
Supply chainExtend NIS2 supply-chain security assessments to payment, KYC, and analytics vendors🟡 Medium
GovernanceBrief the management body on NIS2 personal-liability exposure and require sign-off on the risk register🟡 Medium
Compliance Checklist for Casino Hosting

Case Study: Regulatory-Ready Infrastructure for a Sportsbook Platform

One of Gart’s iGaming engagements involved migrating a US-facing sportsbook to AWS while meeting state-by-state data residency rules — a compliance problem with the same shape as GDPR/NIS2 data-residency requirements in the EU. The team designed a multi-region architecture with jurisdiction-specific VPCs and data controls enforced through Service Control Policies, paired with an Infrastructure-as-Code approach covering 100% of production resources, so every environment change was auditable by design rather than by afterthought.

Results: deployment time dropped from 4 hours to 22 minutes, feature delivery sped up by 60%, and the platform improved performance by 30–40% — all while making regulatory infrastructure reviews a matter of pulling Terraform state and Git history, not reconstructing what changed from memory.

Read the full case study: AWS Migration & Infrastructure Localization for Sportsbook Platform

Compliance-Ready Infrastructure for iGaming

Need casino hosting that passes a GDPR and NIS2 audit — not just a licensing check?

Gart designs and operates infrastructure for casino, sportsbook, and iGaming platforms with data protection and cybersecurity risk management built in from the architecture up — EU data residency, segmented environments, immutable audit trails, and incident-response runbooks that satisfy both regulators.

NIS2 Compliance & Gap Assessment GDPR-Ready Infrastructure Design EU Data Residency & Sovereign Cloud DevSecOps & Compliance-as-Code IT Infrastructure Assessment Incident Response & Monitoring iGaming & Casino DevOps
Talk to a compliance specialist Explore our NIS2 compliance services →

You might also like

Roman Burdiuzha

Roman Burdiuzha

Co-founder & CTO, Gart Solutions · Cloud Architecture Expert

Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.

FAQ

What is GDPR and NIS2 compliance for casino hosting?

It refers to ensuring that the infrastructure hosting an online casino or iGaming platform — servers, cloud environment, data centres, and networks — meets both the GDPR's rules on protecting personal data (consent, DPIAs, breach notification, data residency) and the NIS2 Directive's rules on cybersecurity risk management for critical digital infrastructure (risk analysis, incident reporting, supply-chain security). Casino platforms typically need to satisfy both simultaneously because they process sensitive personal data on infrastructure that qualifies as critical digital infrastructure under NIS2.

Does NIS2 apply to online casinos, and who is responsible — the operator or the hosting provider?

Gambling is not explicitly named as a sector in NIS2 Annex I or II, so applicability depends on specifics, and responsibility is often shared rather than exclusive. A casino operator may be in scope directly if it functions as a digital service provider under Annex II and meets the size thresholds. More commonly, the casino's hosting provider — if it is a cloud computing, data centre, or content delivery network provider — is in scope as "digital infrastructure" under Annex I, which means NIS2 obligations flow into the hosting relationship through supply-chain security requirements regardless of the operator's own size. Contracts and DPAs with the hosting provider should spell out each party's incident-reporting responsibilities so there's no ambiguity when a real incident occurs.

What are the main GDPR requirements for online casino platforms?

Casino platforms typically need a Data Protection Officer given the scale of monitoring and special-category data processing involved, Data Protection Impact Assessments for problem-gambling detection and AML/CFT profiling, freely-given and easily-withdrawable consent for marketing and cookies, a separate privacy policy from the terms and conditions, a documented record of processing activities, and a lawful basis and transfer safeguards (such as Standard Contractual Clauses) for any data sent outside the EU.

How much are the fines for GDPR and NIS2 non-compliance in the gambling sector?

GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. NIS2 fines cap at €10 million or 2% of global turnover for essential entities (including in-scope hosting and cloud providers), and €7 million or 1.4% for important entities, doubling for repeat offences within three years. NIS2 additionally allows regulators to hold individual executives personally liable for gross negligence, including temporary management bans for essential entities.

When must a data breach or cybersecurity incident be reported under GDPR and NIS2?

Under GDPR, a personal data breach likely to result in a risk to individuals must be reported to the supervisory authority within 72 hours of becoming aware. Under NIS2, a significant incident requires an early warning to the national CSIRT within 24 hours, a more detailed incident notification within 72 hours, and a final report within one month. A single casino platform breach involving both personal data and system availability can trigger both timelines at once, which is why a unified incident response runbook is essential.

Where should casino platforms host data to meet GDPR and NIS2 requirements?

EU-based hosting with a provider that publishes a complete sub-processor list and can clearly state its own NIS2 classification removes the most common sources of compliance risk: international transfer complexity under GDPR, and supply-chain visibility gaps under NIS2. This is why more operators are evaluating EU-native cloud and data centre providers over US hyperscalers specifically on data-sovereignty and NIS2-readiness grounds, rather than on price and performance alone.

How can casino operators prepare for both GDPR and NIS2 audits at once?

Start with a scoping assessment to confirm which entities in your stack — the operator, the hosting provider, or both — fall under each framework. Then align technical controls that satisfy both regimes at once (encryption, RBAC, immutable audit logging, network segmentation), separate personal-data retention from security-log retention, and build one incident response runbook that maps to both notification timelines. Gart's IT infrastructure assessment and NIS2 compliance services are built around this combined-scope approach rather than treating GDPR and NIS2 as separate projects.
arrow arrow

Thank you
for contacting us!

Please, check your email

arrow arrow

Thank you

You've been subscribed

We use cookies to enhance your browsing experience. By clicking "Accept," you consent to the use of cookies. To learn more, read our Privacy Policy