Every enterprise running Microsoft 365 eventually asks the same question: do we keep certifying access with spreadsheets and email chains, or do we finally turn on Entra ID governance access reviews? The honest answer is more specific than "automate everything." Most organizations are already paying for a meaningful chunk of Entra ID Governance inside licenses they hold today — they just haven't switched it on. This breakdown puts real numbers next to both paths: the labor hours and error rates behind manual access reviews, what Entra ID's P1/P2/Governance tiers actually cost and include, and where the effort genuinely goes when you move from one to the other. If you're building the business case for your own rollout, Gart's security audit team runs this exact cost/effort analysis before recommending a licensing change, not after.
The comparison below isn't manual reviews versus a shiny new product. For most Microsoft 365 E5 customers, it's manual reviews versus activating identity governance access reviews already sitting inside a license line they're already paying for — and only reaching for the standalone Entra ID Governance add-on once that owned capability runs out of road.
Why Access Reviews Are Suddenly a Boardroom Topic
Access reviews used to be a quarterly checkbox for the identity team. They aren't anymore. Every excess entitlement sitting on an account is a reachable attack path, and the numbers behind that risk have gotten hard to ignore: IBM's Cost of a Data Breach Report 2025 found that malicious-insider incidents — the category most directly tied to over-permissioned or stale accounts — carry the highest average cost of any breach type, at $4.92 million per incident, well above the $4.44 million global average. When a credential is compromised, attackers don't need to be sophisticated; they need the account to still have access it should have lost months earlier.
At the same time, the compliance side of the equation has gotten stricter. SOX, GLBA, ISO 27001, and — for organizations in scope — NIS2 all expect documented, recurring evidence that access to sensitive systems is actively recertified, not just granted once and forgotten. A pile of approved spreadsheets from last quarter doesn't hold up well under audit scrutiny if nobody can explain why a given approval was granted.
⚠️ The real question isn't "manual or automated"For Microsoft-centric enterprises, it's usually "manual, or the identity governance capability you're already paying for inside Microsoft 365 E5." That distinction changes the entire cost conversation, and it's the one most vendor comparisons skip.
What Entra ID Governance Access Reviews Actually Do
Microsoft defines access reviews as a way to efficiently manage group memberships, access to enterprise applications, and privileged role assignments on a recurring basis, so that only the people who still need access keep it — see Microsoft's official access reviews overview for the full feature reference. In practice, that means a named reviewer — a manager, a resource owner, or the requester themselves — periodically confirms or revokes continued access to a specific group, application, or privileged role, with the decision, timestamp, and justification captured automatically as audit evidence.
Entra ID governance access reviews sit at the intersection of three Microsoft Entra licensing tiers, and which capabilities you get depends entirely on which tier a given user is licensed under. P1 handles conditional access, self-service password reset, and hybrid identity, with no access review capability on its own. P2 is the tier that actually matters for this comparison — it adds risk-based identity protection, Privileged Identity Management (PIM), and access reviews on groups, enterprise applications, and privileged roles. Entra ID Governance is a separate paid layer on top of P2 that adds entitlement management (access packages, approval workflows), automated lifecycle workflows for joiners/movers/leavers, and AI-assisted recommendations that flag stale or anomalous access during a review.
That licensing structure is the whole story of why a straight "manual vs. Entra ID Governance" comparison is misleading for most enterprises — the middle tier, P2, already includes real access review capability, and a lot of organizations own it without using it. More on that below.
The Real Cost of Manual Access Reviews
"Manual" access reviews usually means a spreadsheet or CSV export sent to dozens of managers, each expected to look through a flat list of usernames and entitlements with no context on login frequency, role peers, or how the access was originally granted. Under deadline pressure, the natural response is to approve everything — the rubber-stamp review that satisfies an audit checkbox without actually reducing risk.
Industry benchmark data from identity governance vendor BalkanID's analysis of enterprise access review deployments puts real numbers on that gap, modeled on a representative 10,000-user, 200-application organization running a quarterly review cycle:
MetricManual review cycleAutomated review cycleCompletion time4-8 weeks per cycle3-5 daysTotal effort1,200-1,800 FTE hoursUnder 200 FTE hoursReviewer effort per 100 users~12 hours~1 hourHuman error rate8-12% mis-classified or incompleteUnder 2%Audit exceptions per cycle2-30-1, with full traceabilityAnnual review cost$150K-$250K$30K-$50KRevocation time after a "reject" decision5-10 daysUnder 24 hoursThe Real Cost of Manual Access Reviews
The completion-rate gap matters as much as the labor cost. Where automated, evidence-backed reviews routinely reach 98% genuine completion, manual processes tend to cap out around 60% real completion — the rest is technically "done" in the sense that a manager clicked approve, without anyone actually verifying the access was still needed.
What Entra ID Governance Costs — And the Licensing Trap Most Enterprises Fall Into
Here's where the cost/effort math gets more interesting than a simple per-seat price tag. Entra ID P1 ships inside Microsoft 365 E3 and Business Premium; Entra ID P2 — the tier that includes access reviews, PIM, and risk-based protection — ships inside Microsoft 365 E5. Entra ID Governance is priced as a separate standalone add-on layered on top of P2, adding entitlement management and lifecycle automation that P2 alone doesn't cover.
That structure creates a specific, well-documented overspend pattern. Independent licensing analysis from Redress Compliance's Entra ID Pricing Buyer Guide, based on roughly 25-35 Microsoft identity licensing engagements reviewed in 2024-2025, found three recurring patterns:
Double payment. Standalone Entra P1 or P2 seats overlapped with entitlements already included in E3 or E5 on 15-25% of reviewed users — organizations were paying twice for identity capability their existing suite already granted.
Unused capability. P2 capabilities such as access reviews and Privileged Identity Management sat switched off on 40-60% of E5 estates that already owned them — the single largest finding in the engagement.
Governance bought too early. In roughly a third of cases, organizations purchased the standalone Entra ID Governance add-on while the P2 access reviews and PIM controls that ship inside their existing E5 license were never even activated.
The practical takeaway: before treating Entra ID Governance as a new purchase, most Microsoft-centric enterprises should confirm whether they're already licensed for P2 through E5 — and if so, whether access reviews are actually turned on. For many organizations, the highest-leverage first move costs nothing beyond configuration time: activate the group, application, and privileged-role access reviews already included in the license, prove the coverage gap that remains, and only then scope Governance for the specific entitlement-management or lifecycle-automation capability P2 genuinely doesn't provide.
Cost/Effort Comparison: Manual vs. Unused P2 vs. Activated P2 vs. Governance
Put the labor-hour data and the licensing reality side by side, and the decision looks less like "buy software" and more like a four-stage maturity path most enterprises should walk in order:
StageNew license costWhere the effort goesWhat you get1. Manual reviewsNone — but 1,200-1,800 FTE hours/cycleReviewer time, chasing approvals, compiling audit evidence by hand~60% real completion; 20-25% of high-risk entitlements missed2. P2 owned, unusedNone — already inside your E5 licenseZero — this is the risk state most E5 estates are actually inNothing; you're paying for a control that isn't running3. P2 activatedNone beyond existing E5Configuration: defining review scope, cadence, reviewers, recommendationsAccess reviews on groups, apps & privileged roles; automated audit trail4. Entra ID GovernanceStandalone add-on, scoped to needDeploying entitlement management, access packages, lifecycle workflowsSelf-service access requests, joiner/mover/leaver automation, AI recommendationsCost/Effort Comparison: Manual vs. Unused P2 vs. Activated P2 vs. Governance
Notice that the biggest jump in outcome — from a rubber-stamp manual cycle to a defensible, evidence-backed review — happens between Stage 1 and Stage 3, and Stage 3 doesn't require a new purchase for most E5 organizations. Stage 4 is a real and often justified investment, but it solves a different problem: self-service entitlement requests and lifecycle automation, not the base act of reviewing who has access to what.
Where the Risk Hides: What Manual Reviews Miss
A flat list of usernames and permissions gives a reviewer no context on whether access is still justified. Without that context, the same categories of risky access slip through review after review:
Dormant accounts with no login activity in 90+ days that still hold live entitlements.
Privilege creep — users who changed roles internally but kept access tied to their previous position, the exact failure mode Gart's least-privilege access model playbook is built to prevent.
Orphaned service accounts with no clear HR or business owner to confirm they're still needed.
Toxic access combinations, such as a single account holding both "create" and "approve" permissions in a financial system.
None of these show up cleanly in a spreadsheet — see Gart's step-by-step breakdown of how to run a user access review without spreadsheets for the process that catches them. They show up in identity governance tooling that correlates login telemetry, role peers, and ownership lineage — exactly the context P2 access reviews and Governance's AI-assisted recommendations are built to surface automatically instead of leaving it to a manager's memory.
🔍 An access review is only as good as its evidenceA completed review that can't show why an approval was made — no login history, no peer comparison, no justification — provides audit comfort without actually reducing risk. Gart's infrastructure audit engagements routinely find this gap: reviews that are technically "done" but functionally unverifiable.
A Phased Rollout From Manual Reviews to Entra ID Governance
The lowest-risk path from spreadsheets to a mature Entra ID governance access reviews program doesn't require a big-bang re-platform. It looks more like this:
Inventory what you already own. Cross-reference standalone Entra seats against E3/E5 entitlements to confirm you're not double-paying, and identify exactly which users are licensed for P2.
Activate P2 access reviews on the highest-risk scope first. Start with privileged roles (via PIM) and access to your most sensitive applications, not the entire directory at once.
Define reviewers and cadence deliberately. Resource owners, not IT generically, should review access to the resources they actually understand — quarterly is the right default cadence for anything compliance-sensitive, though see why quarterly access reviews commonly fail and how to fix it before assuming cadence alone solves the completion-rate problem.
Feed in identity telemetry from a properly configured Entra ID tenant so reviewers see login frequency and role context, not just a name and a permission.
Scope Governance only against the gap P2 doesn't cover — typically self-service access requests and joiner/mover/leaver automation — once the activated P2 reviews prove where that gap actually is.
This is also where integrating access governance into CI/CD and infrastructure-as-code pipelines pays off for engineering-heavy organizations: access reviews shouldn't stop at directory groups when service accounts and pipeline credentials often carry more standing privilege than any individual employee.
When Manual Reviews Still Make Sense
Automation isn't the right call for every organization on day one. Manual, spreadsheet-based reviews remain reasonable when the organization is small enough — well under a few hundred identities — that the 1,200-1,800 hour benchmark above doesn't apply at meaningful scale, when there's no Microsoft 365 E5 or standalone P2 licensing in place yet and the immediate need is a one-time compliance evidence gap rather than an ongoing program, or when access sprawl is genuinely limited: few applications, few privileged roles, low employee turnover.
Even then, the moment audit findings start citing SOX, ISO 27001, or NIS2-adjacent obligations — see Gart's breakdown of why ISO 27001 certification matters for growing companies and how NIS2 compliance obligations reach organizations through their infrastructure and hosting relationships — the completion-rate and evidence gaps in manual reviews become a documented finding, not just an internal inefficiency.
Identity Governance & Access Review Strategy
Not sure whether you're already paying for the access reviews you need?
Gart Solutions runs a licensing and access-review audit before recommending a single new purchase — mapping what your Microsoft 365 E3/E5 estate already includes, activating owned P2 controls, and scoping Entra ID Governance only for the specific gap it needs to fill.
Security Audit
Infrastructure Audit
Compliance Audit (SOX, ISO 27001, NIS2)
DevSecOps Consulting
IT Infrastructure Consulting
Cybersecurity Monitoring
Talk to an identity governance specialist
Explore our IT audit services →
You might also like
IT Infrastructure Components: The Complete Guide for Modern Enterprises
Compliance Audit Services
ISO 27001 vs SOC 2: Which Access Controls Do You Actually Need?
Infrastructure Audit: Process, Examples, Cost & ROI
Strengthen Your Information Security With a NIS2 Compliance Solution
Roman Burdiuzha
Co-founder & CTO, Gart Solutions · Cloud Architecture Expert
Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.
If you run or host an online casino, sportsbook, or iGaming platform serving European players, two EU laws now define whether your infrastructure is legally defensible: the GDPR and the NIS2 Directive. They are not optional add-ons to a licensing checklist. GDPR and NIS2 compliance for casino hosting means your data centre, cloud provider, and application architecture all have to satisfy data protection law and cybersecurity risk-management law at the same time — and the two frameworks don't always pull in the same direction.
Most operators discover this the hard way: a GDPR data-retention policy that says "delete what you don't need" collides with a NIS2 logging requirement that says "keep evidence for forensics." This guide breaks down exactly where GDPR and NIS2 apply to casino hosting, who is actually in scope (the operator, the hosting provider, or both), what technical controls satisfy both regulators, and how Gart's compliance and infrastructure engineering practice helps gaming platforms get audit-ready without slowing down releases.
Why GDPR and NIS2 Both Govern Casino Hosting
Online casino and sportsbook platforms sit at the intersection of two regulatory concerns that European lawmakers deliberately separated into two directives: protecting the personal data of individuals (GDPR) and protecting the network and information systems that critical digital services depend on (NIS2). A casino platform processes both — KYC documents, payment details, gameplay and betting history, and responsible-gambling behavioural data — on infrastructure that, by its nature as always-on, real-money, high-availability digital infrastructure, looks a lot like the kind of service NIS2 was written to protect.
The practical result is that a casino hosting stack is rarely evaluated against just one framework. Regulators, payment processors, and licensing bodies increasingly expect operators to demonstrate both data protection compliance and cybersecurity risk management maturity, and to be able to prove it with evidence, not policy documents.
🎯 The key distinction operators missGDPR protects people — it applies the moment you process the personal data of anyone in the EU, regardless of your size or sector. NIS2 protects infrastructure — it applies based on your sector, size, and role in the digital supply chain. A small casino operator might not trigger NIS2 directly, but the cloud provider, data centre, or content delivery network hosting that casino almost certainly does, because cloud computing, data centre, and CDN services are named explicitly in NIS2 Annex I as "digital infrastructure."
Does NIS2 Apply to Online Casinos? Scope for Operators and Hosting Providers
The NIS2 Directive (EU) 2022/2555 does not list "gambling" or "gaming" as one of its named sectors in Annex I or Annex II. That leads a lot of operators to conclude, incorrectly, that NIS2 doesn't concern them. In practice, casino and iGaming businesses are pulled into scope through two separate paths.
Path 1: The casino operator as a digital service provider
If your platform functions as an online marketplace, offers social or community features, or otherwise resembles the "digital provider" categories in NIS2 Annex II, you may be classified as an important entity in your own right, subject to the size thresholds (roughly 50+ employees or €10M+ turnover for medium enterprises, 250+ employees or €50M+ turnover for large ones).
Path 2: Your hosting provider as critical digital infrastructure
This is the path that matters for almost every casino platform, regardless of size. NIS2 Annex I explicitly names cloud computing service providers, data centre service providers, and content delivery network providers as "digital infrastructure" — a highly critical sector subject to the strictest obligations. If your casino platform runs on a qualifying EU cloud or data centre provider, that provider is contractually and legally obligated to run NIS2-grade risk management, incident reporting, and supply-chain security — and those obligations flow down to you through the hosting agreement, whether or not your own company is separately in scope.
Several EU member states have already transposed NIS2 into national law with gambling-specific relevance. Italy's Legislative Decree No. 138/2024 (effective 18 October 2024) expanded cybersecurity obligations with a structured registration and compliance timeline. Malta — home to a large share of EU-licensed gambling operators — enacted Legal Notice 71 of 2025, replacing its previous NIS1 regime with self-registration through the Critical Infrastructure Protection Department and a dedicated national CSIRT. As DLA Piper's analysis of NIS2 and gambling puts it, gambling operators and their suppliers "must promptly assess their eligibility under the Directive" rather than assume the absence of an explicit sector listing means the absence of obligations.
📋 What this means in practiceBefore you can answer "are we NIS2 compliant," you need a scoping exercise across three questions:
(1) does our own platform meet an Annex II digital-provider definition,(2) is our hosting/cloud/CDN provider an Annex I essential entity, and (3) does our national gambling regulator layer additional cybersecurity conditions onto our licence, independent of NIS2 itself. Gart's infrastructure assessment is typically where this scoping starts.
GDPR Requirements for Casino and iGaming Platforms
Unlike NIS2, there's no ambiguity about GDPR's applicability: if your platform processes the personal data of anyone in the EU — players, affiliates, employees — GDPR applies, regardless of where your company or servers are based. For casino hosting specifically, four requirements come up repeatedly in regulatory guidance and enforcement actions.
A Data Protection Officer is effectively mandatory
Gambling operators typically carry out large-scale, systematic monitoring of individuals (fraud detection, responsible-gambling monitoring, behavioural profiling) and process special-category data for anti-money-laundering purposes. Both conditions independently trigger the GDPR Article 37 requirement to appoint a Data Protection Officer.
DPIAs for profiling and AML/CFT processing
Two categories of processing that are core to how casino platforms operate require a Data Protection Impact Assessment as a matter of course: systems that identify excessive or at-risk gambling behaviour, and systems that support anti-money-laundering and counter-terrorist-financing (AML/CFT) checks. Both involve profiling with potentially significant effects on the individual — precisely the trigger GDPR Article 35 is built around.
Consent, cookies, and marketing
GDPR Article 7 requires that consent for gambling marketing — emails, SMS, targeted advertising, retargeting pixels — be freely given, specific, informed, and as easy to withdraw as it was to give. Cookie consent banners that pre-tick marketing categories, or that make declining harder to find than accepting, are a recurring enforcement target across EU data protection authorities.
Data residency and international transfers
Many casino platforms run analytics, fraud-scoring, or customer-support tooling on US-based SaaS vendors. Since the invalidation of Privacy Shield (Schrems II), transfers of EU player data to the US require Standard Contractual Clauses plus a documented transfer impact assessment — not just a checkbox in a vendor's terms of service. This is one of the more concrete reasons operators are re-evaluating EU-based hosting and digital sovereignty rather than defaulting to US hyperscalers.
France's gambling regulator (ANJ) and data protection authority (CNIL) jointly published a 59-page GDPR compliance guide for licensed gambling operators in May 2026, addressing exactly this intersection of licensing obligations and data protection law — a strong signal that regulators are converging on sector-specific GDPR guidance rather than leaving operators to interpret general-purpose text.
Where GDPR and NIS2 Overlap — and Where They Pull Apart
The two frameworks reinforce each other on security fundamentals — encryption, access control, incident response — but they diverge sharply on data retention, and that divergence is exactly where casino hosting architectures get into trouble.
DimensionGDPR positionNIS2 positionData retentionStorage limitation principle — keep personal data only as long as necessary for the stated purposeEncourages retaining logs, audit trails, and forensic evidence long enough to detect and investigate incidentsPrimary objectiveProtect the rights and freedoms of individuals whose data is processedProtect the availability, integrity, and confidentiality of network and information systemsWho it applies toAny controller/processor handling EU personal data, regardless of sectorEntities in named sectors (Annex I/II) above size thresholds — including hosting/cloud/CDN providersBreach/incident reporting72 hours to the supervisory authority; affected individuals notified if high risk24-hour early warning, 72-hour detailed report, final report within one month to the national CSIRTGovernanceData Protection Officer oversight; accountability principle (Article 5(2))Management-body approval and oversight of cybersecurity measures; personal liability for gross negligenceWhere GDPR and NIS2 Overlap — and Where They Pull Apart
The practical fix is architectural, not political: separate personal data from security telemetry at the schema level. Audit logs, IDS/IPS alerts, and access logs used for NIS2 incident forensics should be pseudonymised and retained under a security-specific retention schedule, distinct from the player-data retention schedule your GDPR Record of Processing Activities defines. Trying to run one retention policy for both purposes is the single most common source of audit friction Gart sees in iGaming infrastructure reviews.
Choosing GDPR- and NIS2-Ready Hosting Infrastructure
Where you host a casino platform is no longer a pure cost-and-latency decision — it's a compliance decision with legal consequences. Three factors determine whether a hosting environment actually helps you meet GDPR and NIS2 obligations, or quietly works against you.
EU data residency and sub-processor transparency
Hosting player data on EU soil, with an EU-based cloud provider that publishes a complete, current sub-processor list, removes an entire category of GDPR international-transfer risk. Operators are increasingly comparing providers like Hetzner and IONOS specifically on data-sovereignty grounds — see Gart's Hetzner vs. IONOS comparison for how these EU-native providers differ on compliance-relevant criteria like data centre location, certification scope, and contractual DPAs.
Provider-level NIS2 posture
Ask any hosting or cloud provider directly: are you classified as an essential entity under NIS2 in your jurisdiction of establishment, and can you share your incident-reporting SLAs and supply-chain security attestations? A provider that can't answer this clearly is a supply-chain risk you're inheriting without visibility into it — and NIS2 explicitly makes supply-chain security a first-class obligation for entities in scope.
Architecture that supports both regimes at once
Network segmentation that isolates wallet, KYC, and payment services from public-facing game clients serves GDPR's data-minimization-by-design principle and NIS2's risk-management requirements simultaneously — a single architectural decision satisfying two regulators. Gart's DevOps practices for iGaming, casinos, and sports betting platforms cover this kind of compliance-aware Kubernetes and network design in more depth.
Technical Controls That Satisfy Both Regulations
Rather than building two parallel compliance programs, most of the technical work overlaps. The table below maps common infrastructure controls to the specific GDPR and NIS2 obligations they help satisfy.
ControlSatisfies GDPR by...Satisfies NIS2 by...Encryption at rest and in transitMeeting Article 32 "appropriate technical measures" for security of processingMeeting the baseline cryptography requirement under Article 21 risk-management measuresRole-based access control (RBAC)Enforcing data minimization and the "need to know" principle for staff access to player dataSupporting access-control policy requirements under Article 21(2)(i)Immutable audit loggingDemonstrating accountability (Article 5(2)) — who accessed what data, whenProviding the forensic evidence trail required for incident investigation and reportingNetwork segmentation / Kubernetes NetworkPolicyReducing the blast radius of a breach involving payment or KYC dataLimiting lateral movement — a named risk-management measure under Article 21Vulnerability management & patching cadencePreventing the kind of unpatched-system breach that triggers Article 33 notificationMeeting the explicit vulnerability-handling requirement in Article 21(2)(e)Vendor / sub-processor due diligenceSatisfying Article 28 processor obligations and transfer impact assessmentsMeeting the supply-chain security requirement in Article 21(2)(d)Automated compliance-as-code (OPA/Gatekeeper)Preventing configuration drift that could expose personal data by accidentProviding continuous evidence of risk-management measures for auditsTechnical Controls That Satisfy Both Regulations
Incident Response and Breach Notification Timelines
One of the most common operational failures Gart sees during compliance reviews isn't a missing control it's a missing playbook that tells the on-call engineer which clock is ticking. GDPR and NIS2 run on different notification timelines, to different authorities, and a casino platform breach can trigger both at once.
MilestoneGDPR (Article 33/34)NIS2 (Article 23)Who you notifyNational data protection supervisory authority; affected individuals if high riskNational CSIRT or competent cybersecurity authorityFirst notificationWithout undue delay, within 72 hours of becoming awareEarly warning within 24 hours of becoming awareDetailed reportIncluded in the initial 72-hour notification (nature, scope, likely consequences)Incident notification within 72 hours, updating the initial assessmentFinal reportNot separately mandated, but documentation must be maintained under Article 33(5)Final report within one month of the incident notificationTrigger thresholdA breach likely to result in a risk to individuals' rights and freedomsAn incident with a "significant impact" on service provisionIncident Response and Breach Notification Timelines
Building one incident response runbook that maps a single security event to both timelines — rather than maintaining separate GDPR and NIS2 procedures that different teams own — is the difference between a controlled disclosure and a missed deadline discovered during an audit.
Penalties, Enforcement, and Personal Liability
The financial exposure under both regimes is large enough to change board-level risk appetite, and neither framework limits itself to fining the company.
GDPR: up to €20 million or 4% of total worldwide annual turnover for the most serious infringements — unlawful processing, breach of data subject rights, or unauthorized international transfers — whichever amount is higher.
NIS2 essential entities (including in-scope cloud, data centre, and CDN providers): up to €10 million or 2% of global annual turnover, whichever is higher.
NIS2 important entities: up to €7 million or 1.4% of global annual turnover, whichever is higher, with fines doubling for a repeat offence within three years.
NIS2 also introduces something GDPR enforcement rarely reaches for in practice: personal liability. Article 32(6) empowers national authorities to hold management bodies accountable for gross negligence, including administrative fines against individual executives and, for essential entities, temporary bans from management functions. Combined with the ENISA guidance on NIS2 implementation, this makes cybersecurity governance a board-level obligation, not a delegated IT function — a shift that gambling operators, with their traditionally licensing-focused compliance functions, are still adjusting to.
⚖️ Licence risk compounds financial riskFor a casino platform, a GDPR or NIS2 enforcement action rarely stays contained to the fine itself. Regulators such as the Malta Gaming Authority can treat a data protection or cybersecurity failure as evidence of inadequate operational controls under the gaming licence itself — turning a compliance fine into a licence review.
Compliance Checklist for Casino Hosting
AreaActionPriorityScopingDetermine whether your platform and/or your hosting provider fall under NIS2 Annex I or II🔴 CriticalGDPR governanceAppoint a DPO and complete DPIAs for problem-gambling detection and AML/CFT profiling🔴 CriticalHostingConfirm EU data residency and request your provider's NIS2 classification and sub-processor list🔴 CriticalIncident responseBuild one runbook covering both the GDPR 72-hour and NIS2 24/72-hour/1-month timelines🔴 CriticalArchitectureSegment wallet, KYC, and payment services from public-facing game clients🟠 HighData lifecycleSeparate personal-data retention schedules from security-log retention schedules🟠 HighConsent managementAudit cookie banners and marketing consent flows for pre-ticked boxes or dark patterns🟠 HighSupply chainExtend NIS2 supply-chain security assessments to payment, KYC, and analytics vendors🟡 MediumGovernanceBrief the management body on NIS2 personal-liability exposure and require sign-off on the risk register🟡 MediumCompliance Checklist for Casino Hosting
Case Study: Regulatory-Ready Infrastructure for a Sportsbook Platform
One of Gart's iGaming engagements involved migrating a US-facing sportsbook to AWS while meeting state-by-state data residency rules — a compliance problem with the same shape as GDPR/NIS2 data-residency requirements in the EU. The team designed a multi-region architecture with jurisdiction-specific VPCs and data controls enforced through Service Control Policies, paired with an Infrastructure-as-Code approach covering 100% of production resources, so every environment change was auditable by design rather than by afterthought.
Results: deployment time dropped from 4 hours to 22 minutes, feature delivery sped up by 60%, and the platform improved performance by 30–40% — all while making regulatory infrastructure reviews a matter of pulling Terraform state and Git history, not reconstructing what changed from memory.
Read the full case study: AWS Migration & Infrastructure Localization for Sportsbook Platform
Compliance-Ready Infrastructure for iGaming
Need casino hosting that passes a GDPR and NIS2 audit — not just a licensing check?
Gart designs and operates infrastructure for casino, sportsbook, and iGaming platforms with data protection and cybersecurity risk management built in from the architecture up — EU data residency, segmented environments, immutable audit trails, and incident-response runbooks that satisfy both regulators.
NIS2 Compliance & Gap Assessment
GDPR-Ready Infrastructure Design
EU Data Residency & Sovereign Cloud
DevSecOps & Compliance-as-Code
IT Infrastructure Assessment
Incident Response & Monitoring
iGaming & Casino DevOps
Talk to a compliance specialist
Explore our NIS2 compliance services →
You might also like
Strengthen Your Information Security with NIS2 Compliance Solutions
Digital Sovereignty of Europe: Choosing the EU Cloud Provider
DevOps Practices in iGaming, Casinos, and Sports Betting Companies
What Is DevSecOps? Integrating Security into Your DevOps Pipeline
Free NIS2 Compliance Checklist (PDF Guide)
Roman Burdiuzha
Co-founder & CTO, Gart Solutions · Cloud Architecture Expert
Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.
NIS2 Directive Update Taking Effect in October 2024
The NIS2 Directive is a significant update to the original NIS Directive which was implemented in 2016. It aims to bolster cybersecurity resilience across the European Union (EU) by introducing stricter regulations and expanding its reach.
EU member states have until October 17, 2024, to translate the NIS2 Directive into their national laws.
This means businesses have just a bit more than 60 days (about 2 months) to ensure compliance.
Article 21 has its complete list of policies for the protection of network and information systems, as well as the physical environment of those systems from incidents.
Below is the entitlement of the requirements:
Article 21 of the NIS2 directive to protect networks, information systems & physical environment from incidents.
Why is this Security Update Important for European Businesses?
The NIS2 Directive represents a major shift in cybersecurity regulations for European businesses.
Here's why it's critical:
Fortress Against Rising Cyberattacks
Europe is a prime target for cyberattacks, with a documented surge in incidents across critical infrastructure. According to Deloitte, attacks skyrocketed by 45% globally and a staggering 220% within the EU between 2020 and 2021. NIS2 compliance strengthens your organization's online defenses and fosters a collective EU bulwark against emerging threats.
Proactive Risk Management and Business Continuity
NIS2 mandates proactive risk management strategies to identify and mitigate cyber threats before they disrupt operations. Furthermore, compliance promotes business continuity planning to ensure minimal disruption and maintain customer trust even in a cyberattack.
Improved Threat Response and Collaboration
The directive fosters better incident reporting, allowing you to notify relevant authorities about security breaches and their potential consequences. This timely information sharing safeguards other organizations and fosters collaboration within the business community to exchange best practices and threat prevention experiences.
New Industries Under the NIS2
One of the significant changes in the NIS2 Directive is the expansion of its scope. The updated directive now includes more industries than the original version.
Previously, the NIS Directive targeted sectors like energy, transport, banking, and health.
NIS2 extends to cover additional industries such as:
Food and water supply chains
Digital infrastructure
Public administration
Space industry
Waste management
This expansion means that more businesses will need to align with the new cybersecurity standards, ensuring a wider net of protection across the EU.
Fines & Penalties
Non-compliance with NIS2 can lead to significant financial penalties that vary depending on the classification of your organization (essential entity).
Here's a breakdown of the potential consequences:
Essential Entities
Failing to comply can result in fines of up to €10 million, or less, a penalty reaching 2% of your total global annual turnover. That's a significant financial blow that could cripple your business.
Important Entities
The penalties are still substantial, with fines reaching €7 million or 1.4% of your global annual turnover.
Beyond hefty fines, NIS2 also enforces stricter accountability on management. Company leaders can be held personally liable for infringements, facing potential temporary bans and even the suspension of services. This underscores the seriousness with which the EU views cybersecurity and the importance of implementing robust security measures.
NIS2 Compliance Directive with Gart: Tips & Recommendations
At Gart Solutions, we understand the challenges businesses face in navigating complex regulations like NIS2. Here are some tips to help you achieve compliance:
Identify Your Compliance Status
The first step is to determine whether your organization falls under the scope of NIS2. We will help you to conduct a thorough assessment of your industry and activities.
Perform a Security Risk Assessment
Identification and evaluation of potential cybersecurity risks is a must. Gart can manage this journey within your organization.
Develop a Cybersecurity Strategy
We will help to evaluate your security posture and design a cybersecurity strategy that addresses the risk management profile.
Invest in Employee Training
As Gart is an IT Consulting provider — we also dedicate our efforts to educate your employees on cybersecurity best practices to prevent social engineering attacks and phishing attempts.
Seek Expert Guidance
Partnering with a trusted cybersecurity solutions provider like Gart Solutions can ensure you have the resources and expertise necessary to achieve and maintain NIS2 compliance.
Contact us for a Free Consultation.
Download our Free Checklist
See how we can help to comply with the latest NIS2 requirements
Download
NIS2-Compliance-Checklist-A-Comprehensive-Guide-to-Audit_Free-PDFDownload
Choosing the EU Cloud Solutions Provider: What is The Way to Be Prepared for the Update?
Choosing the EU cloud provider is one of the options to be prepared for the NIS2 compliance update.
Gart Solutions, together with our partner — vBoxx, a renowned EU cloud solutions provider, offers a range of managed hosting and cloud server services that can significantly support businesses in their digital transformation journey.
vBoxx is an expert in the data journey part of NIS2 and has outlined how to simplify your data security compliance:
1. Understanding the NIS2 Directive
The NIS2 Directive represents a significant evolution in EU cybersecurity regulation, broadening the scope of compliance requirements to include a wider array of sectors. This directive underscores the necessity of not only securing data but also understanding its entire journey.
Organizations must be vigilant about tracking their data flow to mitigate risks and meet the stringent new standards imposed by NIS2.
2. Comprehensive Data Tracking
Compliance with NIS2 requires an in-depth understanding of where and how data is processed, stored, and transferred. This involves documentation of every stage of the data lifecycle — from creation and processing to storage and eventual deletion. By mapping out the data journey, organizations can better identify vulnerabilities and ensure that all parties involved in data handling adhere to high security standards.
3. The Challenge of Sub-processors
One of the most complex challenges introduced by NIS2 is the need for organizations to maintain visibility over all sub-processors involved in data processing. Each sub-processor, regardless of their role, must meet the same rigorous cybersecurity standards. This requires thorough vetting and ongoing monitoring to ensure compliance, making it critical for businesses to establish strong relationships and clear communication channels with their sub-processors.
4. Strategic Shifts in the Market
In response to NIS2, many businesses are re-evaluating their reliance on third-party sub-processors, especially those located outside the EU. By consolidating data operations within the EU, organizations can better manage compliance and reduce the risk of data breaches.
This trend towards localized data handling is reshaping the market, as companies seek to simplify their data ecosystems and enhance security.
5. Practical Steps for Compliance
To align with NIS2, businesses must take proactive measures, such as engaging closely with their service providers, conducting comprehensive risk assessments, and considering a shift to EU-based data centers and services. These steps not only facilitate compliance but also strengthen the overall cybersecurity posture, ensuring that the organization is well-prepared to meet current and future regulatory demands.
How Not to Repeat Mistakes: Case of Microsoft
If you say, we are using public data providers, there’s still are pitfalls we have to consider.
Let’s take, for example, Microsoft. Microsoft's products continue to be widely used, but they present significant challenges in transparency and data security.
At the time of writing, Microsoft lists 47 subprocessors and 36 data centers, but details on their operations and data handling are unclear. This is concerning given Microsoft's ongoing GDPR violations and multiple security breaches last year.
Moreover, the global spread of subprocessors, often linked to parent companies in various countries, adds complexity and potential security risks, making it difficult for companies to verify compliance and data safety.
Learn more about Microsoft’s Data Practices and the numerous DDoS attacks they responded to. This is a good case of how not to repeat their mistakes.
Final words
Prepare your business for the NIS2 compliance update with the expert guidance of Gart Solutions and our partner — vBoxx. Download our Free Checklist — a comprehensive guide to the NIS2 audit, and ensure your organization is ready for the upcoming changes.
Partner with Gart Solutions and vBoxx — overcome the security challenges and align with NIS2 in this ever-evolving cybersecurity landscape.
Wanna know how? Contact us.
Schedule a Free Consultation
See how we can help to overcome the challenges of NIS2 compliance.
Contact us