Cybersecurity and Compliance for Online Gambling Operators in 2026

Mgr. Petr Hanzel, LL.M.
Mgr. Petr Hanzel, LL.M.
16.6.2026 | ARROWS law firm

Cybersecurity in online gambling and compliance with statutory obligations in 2026 are under exceptionally strict scrutiny. This article clearly explains what steps online gaming operators must take to fully meet the requirements of the Gambling Act, AML legislation, the GDPR, and the new Cybersecurity Act, based on the recommendations of the attorneys at ARROWS, a Prague-based law firm.

The illustrative image shows a specialist discussing the topic of compliance with statutory obligations.

Key takeaways

An online gambling operator in the Czech Republic is an entity regulated under the Gambling Act, an obliged entity under the Czech AML Act, and a personal data controller subject to the GDPR. In many cases, it also falls under the regulation of the new Cybersecurity Act under the NIS2 regime. In practice, this means an obligation to rigorously verify players’ identities (KYC), check the Register of Excluded Persons (RVO), implement self-exclusion measures, and apply robust data protection rules.

Typical weaknesses of operators include underestimated contractual arrangements with IT and marketing suppliers, missing logging, and incomplete audit trails. These shortcomings significantly increase the risk of high financial penalties, lengthy administrative proceedings, and severe reputational damage.

From a technical security perspective, standard protection in the form of antivirus software is no longer sufficient. Encrypted communication using modern TLS/HTTPS protocols is required, as well as multi-factor authentication (MFA) for all access, regular penetration testing, reliable backups under the 3-2-1 scheme, and systematic vulnerability management.

Cybersecurity is a strategic topic for statutory bodies and owners, who bear personal responsibility for approving and overseeing security measures. The attorneys at ARROWS therefore recommend integrating cybersecurity into overall risk management and the protection of the company’s value.

Introduction: why cybersecurity in online gambling is a topic for company management

Online gambling is among the most highly regulated sectors of the digital economy, with demanding security requirements. An operator of an online casino, betting company, or other online game works with highly sensitive personal and financial data, which is a primary target for cyber attackers. In addition to standard identification data, it processes information on gambling behaviour, financial transactions, or potential self-exclusion measures, placing such data under an enhanced protection regime under the GDPR.

In the Czech Republic, this sector is subject to strict supervision by the Ministry of Finance under the Gambling Act and by the Czech Customs Administration, which monitors and combats illegal online gambling. Illegal operation of online gambling constitutes a specific type of cybercrime, the incidence of which has shown a long-term upward trend.

Another fundamental layer consists of obligations in the area of combating money laundering and terrorist financing. Under the Czech AML Act, a gambling operator is an “obliged entity” and is subject to strict requirements comparable to those in the banking sector. This includes customer identification and verification (KYC), ongoing transaction monitoring, risk assessment, record-keeping, and an obligation to report suspicious transactions to the Financial Analytical Office (FAÚ).

This legal framework has been fully complemented by the new Cybersecurity Act, which transposed the European NIS2 Directive into the Czech legal system. This legislation no longer treats cybersecurity as an isolated technical matter, but rather as a key component of risk management and business continuity. Online gambling operators are therefore under the scrutiny of NÚKIB and are required to implement robust security measures.

For company management and investors, this brings significant responsibility. In online gambling, a cyber incident can cause not only immediate service outages and direct financial losses, but also leaks of player databases, misuse of payment data, and an irreversible loss of user trust. Combined with the threat of high fines and the real risk of licence revocation, this represents a critical business risk.

The attorneys at ARROWS therefore recommend, in practice, detailed due diligence, where the state of cybersecurity and compliance is a key factor in investment transactions. The level of security directly affects negotiating leverage, the final purchase price, and the overall success of mergers and acquisitions.

Legal framework for cybersecurity in online gambling in the Czech Republic and the EU

The regulatory environment for operators of online games in the Czech Republic consists of several interconnected areas of law. For successful operation in the market, it is essential to understand the relationships between gambling legislation, AML regulations, personal data protection, and new cybersecurity standards.

The Gambling Act and related regulation

The key legal regulation in this area in the Czech Republic is Act No. 186/2016 Coll., on Gambling (the Gambling Act). This Act comprehensively regulates the conditions for operating gambling games, responsible gambling measures, and the powers of supervisory authorities. For online gambling—defined in the Act as an “internet game”—the Gambling Act sets specific requirements that directly affect cybersecurity and data governance.

An internet game operator must hold a basic licence issued by the Czech Ministry of Finance, and foreign operators targeting the Czech market are fully subject to Czech jurisdiction. The Act defines territorial scope so that a game is deemed to be operated in the Czech Republic if it is targeted at persons resident in the Czech Republic or if it is available in the Czech language.

The Gambling Act places strong emphasis on responsible gambling measures. The operator must allow players to set self-exclusion measures, such as daily or monthly limits on stakes, net losses, login duration, or the frequency of website visits. Once the set limit is reached, the gaming system must automatically prevent the player from further participation in the game and log them out.

A key control tool is the Register of Excluded Persons (RVO), and the operator must verify the player’s status upon registration and before each login. This verification takes place in real time via a secure interface and requires flawless technical integration and the keeping of detailed audit records for inspection purposes.

Online gambling operators are also required to implement the so-called “Panic Button” (a button for immediate prevention of participation in the game). This technical element must be visibly available in the game interface throughout the game and must allow the player to immediately block participation in the game with the given operator for exactly 48 hours. At the same time, the system must offer the player the option to submit a request to be entered in the RVO.

The fairness of online games is ensured by certification of the random number generator (RNG), which must guarantee statistical randomness of the outcomes. Regular audits and RNG certification by an authorised testing laboratory are an essential condition for maintaining a licence to operate games.

The AML Act and KYC/AML obligations

Under Act No. 253/2008 Coll., on certain measures against the legalization of proceeds of crime and the financing of terrorism (the AML Act), gambling operators are classified as obliged entities. From an AML compliance perspective, this entails obligations comparable to those of financial institutions.

The core pillar is the Know Your Customer (KYC) principle, which in online gambling means a complete exclusion of anonymous participation and a mandatory identity verification. For the online environment, the AML Act requires reliable verification methods, such as the use of electronic identification means with a high level of assurance (e.g., BankID) or mediated identification at Czech POINT service counters.

In addition to customer identification, the operator must carry out ongoing customer due diligence, monitor financial transactions, assess the risk profile and, if suspicious behavioural patterns are detected, promptly file a suspicious transaction report with the Financial Analytical Office (FAÚ). This requires the deployment of specialised monitoring systems and algorithms to detect fraudulent conduct.

The AML Act imposes an obligation to retain customer identification data, copies of documents and transaction records for 10 years from the termination of the business relationship. This long retention period constitutes a statutory exception to the right to erasure under the GDPR, which the operator must properly address in its internal policies.

From an internal organisational perspective, the operator must develop a system of internal rules (an internal AML programme), carry out a risk assessment, appoint a contact person for liaison with the FAÚ and ensure regular employee training. Failure to comply with these obligations may result in fines of up to CZK 50 million and the submission of a motion to revoke the licence.

GDPR and protection of players’ data

The operation of online gambling is fully subject to the General Data Protection Regulation (GDPR). The operator acts as a data controller and processes a broad range of data – from basic identification and contact details through financial transactions to sensitive information related to gaming limits or registration in the RVO.

The processing of personal data must be based on a clear legal basis and must comply with the principles of transparency, data minimisation and storage limitation. Breaches of GDPR rules may lead to significant fines of up to EUR 20 million or 4% of the company’s worldwide annual turnover, whichever is higher.

Operators often make mistakes in setting up relationships with external suppliers of IT platforms, cloud services, payment gateways or marketing tools. If these partners process players’ personal data on behalf of the operator, they have the status of a processor and it is necessary to conclude a written personal data processing agreement (Data Processing Agreement – DPA) meeting the requirements of Article 28 GDPR.

Formal or missing agreements are a frequent source of high sanctions during inspections by the Office for Personal Data Protection (ÚOOÚ). The GDPR also imposes an obligation to report personal data breaches to the ÚOOÚ without undue delay, no later than within 72 hours from the moment the controller becomes aware of it.

The new Cybersecurity Act and the NIS2 Directive

The new Cybersecurity Act transposes the European NIS2 Directive into Czech legislation and significantly expands the range of regulated entities. This legislation applies to service providers in sectors with a high degree of digitalisation and importance for the economy that meet the specified criteria. Operators of online gambling games that meet these criteria become providers of a regulated service.

The new rules require systematic management of cyber risks, which means an obligation to identify key assets and implement appropriate technical and organisational measures. Minimum required measures include the implementation of multi-factor authentication (MFA), segmentation of computer networks, secure backups and regular vulnerability management.

A significant obligation is the reporting of cybersecurity incidents. If an incident occurs with a significant impact on the provided service, the operator must submit an initial warning to NÚKIB within 24 hours of detecting the incident. A more detailed report must be sent within 72 hours and a final report with a root-cause analysis within 30 days.

A key change is the direct personal liability of members of the statutory body for approving and overseeing the implementation of security measures. Top management cannot avoid responsibility merely by delegating to the IT department; in the event of serious neglect of duties, they face personal liability and a ban on performing management functions.

The National Cybersecurity Strategy and the broader context

The National Cybersecurity Strategy of the Czech Republic sets a strategic framework for strengthening the resilience of the state and the private sector against cyber threats. The document emphasises the need for a proactive approach, sharing threat intelligence and strengthening cooperation between the public and private sectors under the coordination of NÚKIB.

The online gambling sector, as a highly transaction-intensive industry working with financial funds, is considered an attractive target for cybercriminal groups. The Strategy identifies sophisticated attacks using ransomware and advanced social engineering methods as the main threats.

Within the EU, there is no single harmonised legislation specifically for gambling; regulation falls within the competence of the Member States, which must nevertheless respect the fundamental principles of European law. Operators active in multiple jurisdictions must therefore coordinate their compliance programmes with regard to the specifics of national legislation while also implementing robust international standards such as ISO/IEC 27001.

The attorneys of ARROWS advokátní kancelář, in this context, help clients set up cross-border structures so that they meet the strict requirements of Czech regulation. This enables efficient operation within international groups while leveraging synergies in IT infrastructure and security.

Specific cyber risks in online gambling

Operators of online gambling games face a wide range of specific threats that may jeopardise not only the technical infrastructure but also the very existence of the business. Understanding these risks is the first step towards building an effective defence.

Ransomware, malware, spyware and attacks on players’ data

Ransomware attacks represent one of the most serious threats to online gambling platforms, with potentially devastating consequences. Modern ransomware does not focus only on encrypting data and demanding a ransom for decryption, but also uses the method of double extortion. Attackers first steal sensitive player data and internal documentation and only then encrypt the systems. If the operator refuses to pay, they threaten to publish the data on the darknet.

A leak of a player database has devastating legal and commercial consequences for operators, including the threat of substantial fines from the Czech Data Protection Authority (ÚOOÚ) and claims for compensation. In addition to ransomware, platforms face risks associated with malware and spyware aimed at compromising employees’ administrative accounts. Malicious code most often enters systems through software vulnerabilities.

Spyware installed within a network can monitor internal communications over the long term, record keystrokes (keylogging), and obtain access credentials to gaming servers or payment interfaces. Detecting these hidden threats requires advanced endpoint monitoring tools (EDR/XDR) and continuous analysis of network traffic.

DDoS attacks and service availability

Distributed Denial of Service (DDoS) attacks are a common tool of extortion and unfair competitive practices in the online gambling sector. The aim of the attack is to overwhelm the operator’s servers with an enormous volume of artificially generated traffic, leading to slowdowns or complete unavailability of the platform for legitimate players.

For an online casino or betting operator, even a short outage lasting minutes means a direct loss of revenue and a rapid migration of players to competitors. Attackers often launch DDoS attacks as a means of pressure and demand a ransom in cryptocurrencies to stop them.

DDoS attacks may also serve as a smokescreen to conceal far more dangerous activity. While the IT team focuses its full attention and resources on restoring website availability, attackers attempt in the background to breach databases or compromise payment systems. Effective defence requires specialised mitigation services and robust network infrastructure.

Phishing and social engineering

The human factor remains the most common weak link in the security chain. Attackers readily use social engineering methods—especially phishing (fraudulent emails), vishing (fraudulent phone calls) and smishing (fraudulent SMS messages)—to trick employees or players themselves into disclosing access credentials.

In the context of online gambling, phishing campaigns target both players in order to misuse their accounts and customer support staff. Customer support communicates daily with a large number of unknown individuals and opens external attachments. An attacker may send an infected file which, once opened, infects the workstation with malware.

Defence against these attacks requires a combination of technical filters and systematic, repeated employee training through practical exercises and simulated phishing campaigns. Purely theoretical training without practical testing in real operations tends to be ineffective.

Illegal online gambling as a competitive and security threat

Illegal online gambling operators pose not only an economic threat to the legal market, but also a serious security risk. These entities are not subject to licensing proceedings, do not verify players’ identities via the Register of Excluded Persons (RVO), ignore AML rules, and do not implement cybersecurity standards.

For legal operators, this means an uneven competitive environment, while illegal platforms often serve to distribute malware and launder money. If there is a massive misuse of data on an illegal website, it may negatively affect public perception of the security of the entire online gambling sector.

The Czech Customs Administration actively searches for and blocks illegal websites and payment methods; however, combating illegal gambling is a long-term process. In their own interest, legal operators should cooperate with legal counsel to monitor the market and submit reports to the competent authorities to eliminate illegal competition.

Related questions

1. How significant a risk does ransomware pose for licensed operators?
The risk is extremely high. Online gambling platforms depend on continuous availability and real-time transaction processing, which makes them ideal targets for ransomware groups demanding ransom payments. A successful attack can paralyse operations for days or weeks, while also risking massive leaks of sensitive player data, with exposure to substantial fines and lawsuits. We recommend consulting the preparation of a defence strategy and recovery plans with our Prague-based specialists at office@arws.cz.

2. Why are DDoS attacks so common in online gambling and how can they be defended against?
DDoS attacks are relatively easy to carry out technically and cause immediate financial loss and reputational damage for operators. Attackers often use them as a pressure tool to extort ransom. Effective defence lies in deploying specialised cloud-based mitigation services, properly configuring network infrastructure, and integrating these measures into the business continuity plan (BCP). We will be happy to assist you with the legal and contractual setup of these services; contact us at office@arws.cz.

3. How can the risk of phishing among customer support staff be effectively eliminated?
Technical measures (filters, sandboxing) are essential, but regular training is key. Employees must undergo practical training and simulated attacks to learn to recognise suspicious communication patterns and follow strict security protocols when handling external files and links. To set up internal policies and training programmes, contact us at office@arws.cz.

Obligations of online gambling operators in the area of cybersecurity

Meeting statutory standards requires operators to implement specific procedural and technical measures. These measures must be fully integrated into the company’s day-to-day operations and regularly audited.

Player identification and verification (KYC) and the Register of Excluded Persons

In accordance with the Gambling Act (ZHH) and the AML Act, the operator is required to ensure reliable identification and verification of each player’s identity before a gaming account is created. In the online environment, electronic identification systems connected to the national identity authority (e.g., BankID) with a high level of assurance are used for this purpose.

If the operator implements remote verification by scanning identity documents and biometric verification, the technical solution must guarantee high resistance to forgery and comply with the GDPR. Upon registration and before each player login, the gaming system must automatically send a query to the Register of Excluded Persons (RVO).

The interface for querying the RVO must be secured by encryption, access certificates and robust authentication. The operator must log every query sent and every response received and retain these records for the purposes of supervisory authorities. An outage of the connection to the RVO or an error in the verification system that would allow an excluded person to play constitutes a serious breach of the law.

Self-limiting measures, Panic Button and responsible gaming

Implementing self-limiting measures requires the gaming platform to reliably track and evaluate the set limits for each player in real time. The technical solution must ensure that the limits cannot be circumvented and that any tightening of them is reflected in the system immediately.

Since this obligation was introduced, the gaming interface must permanently display a button for immediate prevention of participation in the game, i.e., the Panic Button. Activating it must result in the immediate termination of all the player’s active gaming sessions, locking the account for exactly 48 hours, and sending the player a confirmation with an offer to facilitate registration in the RVO.

AML obligations: monitoring and reporting suspicious transactions

Operators must have an effective system in place to monitor gaming and financial transactions in order to detect unusual or suspicious activity. The monitoring system must analyze parameters in real time, such as unusual deposits, rapid withdrawals without adequate gaming activity, or suspicious changes in player behavior.

If the system identifies a transaction as suspicious, it must be automatically suspended and escalated to the responsible person for assessment. If the suspicion is confirmed, the operator is required to file a suspicious transaction report with the FAÚ and strictly maintain confidentiality vis-à-vis the client. All steps of the analysis and decision-making must be documented in detail.

GDPR and cybersecurity: contracts, retention, breach management

In accordance with the GDPR, operators must ensure the protection of players’ personal data throughout its entire lifecycle. This includes detailed contractual arrangements with IT suppliers who have access to players’ data, in the form of data processing agreements (DPAs) defining technical and organizational security safeguards.

Personal data may be retained only for as long as necessary, and once statutory retention periods expire, the data must be securely deleted. The operator must have a process for detecting and assessing security breaches. If a data leak occurs, the incident must be reported to the ÚOOÚ within 72 hours.

Obligations under NIS2/ZoKB: risk management, incidents, management roles

Under the new Cybersecurity Act (ZoKB) implementing the NIS2 Directive, operators that meet the criteria for providers of a regulated service must implement a comprehensive information security management system (ISMS). This includes regular risk analysis and prioritization of security measures.

If an incident occurs with a significant impact on the availability of the gaming platform, the operator is required to submit an initial report to NÚKIB within 24 hours. The company’s statutory body bears direct responsibility for approving the security strategy, allocating adequate resources, and overseeing its implementation.

Obligations in the event of a personal data breach and cybersecurity incidents

When a cybersecurity incident occurs, such as a successful ransomware attack, obligations towards multiple regulators arise simultaneously. It is necessary to submit a notification to NÚKIB within 24 hours, to the ÚOOÚ within 72 hours, and, in the event of a high risk to players’ rights, to also inform the affected users directly.

To manage these crisis situations, it is essential to have a pre-prepared, tested, and regularly updated incident response plan. This plan must clearly define communication flows, responsibilities, and pre-prepared reporting templates for the individual authorities.

Potential issues

How ARROWS helps (office@arws.cz)

Failure to check the RVO A technical integration error allows an excluded person to play, leading to the risk of high fines and revocation of the licence.

Legal audit and contract review  We will conduct a legal audit of the integration processes , review contracts with the platform’s IT suppliers, and set liability for technical outages.

Insufficient AML controls Formal or incomplete transaction monitoring with the risk of sanctions by the FAÚ of up to CZK 50 million.

AML compliance program  We will prepare a risk assessment and a tailored system of internal policies , train employees, and prepare you for an FAÚ inspection.

Missing data processing agreements Sharing data with IT and marketing partners without a DPA meeting Article 28 GDPR, with the risk of high fines from the ÚOOÚ.

GDPR contractual audit  We will analyze data flows and identify processors , and prepare or negotiate robust data processing agreements protecting your interests.

Inadequate incident response Chaos during a data leak, failure to meet statutory reporting deadlines to NÚKIB and the ÚOOÚ.

Crisis management and incident response  We will prepare the legal and communications part of the incident response plan , provide crisis support on a 24/7 basis, and represent you before regulators.

Personal liability of management Members of the statutory body face personal liability for neglecting cybersecurity under NIS2.

Corporate governance and training  We will set up reporting lines for management , prepare decision-making methodologies, and deliver specialized training for statutory representatives.

Proven technical and organizational cybersecurity practices in online gambling

Technical measures form the fundamental pillar of cybersecurity for any online platform. For these measures to be truly effective, they must reflect current technological standards and proven industry best practice.

Securing communications and infrastructure: TLS/HTTPS, data centres, backups

All communication between the player’s device and the gaming servers must be encrypted using current and secure cryptographic protocols, TLS 1.3, or TLS 1.2 with strong cipher suites. The use of HTTPS with valid and trusted SSL/TLS certificates is a standard that prevents eavesdropping.

The gaming platform’s servers and data storage must be located in certified data centres guaranteeing a high level of physical and logical security. The backup strategy must strictly follow the 3-2-1 rule, which requires at least three copies of data on two different types of media, with one backup stored off-site.

At least one backup must be completely isolated from the production network (a so-called air-gapped backup), which is a key line of defence against ransomware encrypting backups. The data recovery process from backups (disaster recovery) must be regularly tested and evidenced by written records.

Access management: passwords, MFA, and privileged accounts

The operator must implement a strict access management policy based on the principle of least privilege, under which employees may access only those systems and data that they strictly need to perform their work.

A key measure is the mandatory implementation of multi-factor authentication (MFA) for all employees accessing internal systems and administration. The password policy must require the use of strong passwords and password managers for secure storage of login credentials.

Penetration testing, audits, and ISO 27001

Regular testing of system resilience is an essential element of proactive security. The operator should, at a minimum, ensure independent penetration testing at least once a year and always after a significant change to the gaming platform or infrastructure, covering both the external network perimeter and the internal network.

Implementing and certifying an information security management system under ISO/IEC 27001 is the best way to manage cyber risks systematically. This international certification demonstrates a high level of security to partners, investors, and supervisory authorities.

Software updates and vulnerability management

Most cyberattacks exploit known software vulnerabilities for which vendors have already released security patches, but operators failed to install them in time. Best practice requires automated vulnerability scanning and systematic Patch Management.

Setting clear deadlines for installing security updates based on the criticality of the vulnerability is the cornerstone of preventive protection. If the operator develops its own software, security testing must be integrated directly into the development and code deployment process.

Incident response plan and exercises

Having an Incident Response Plan in place is essential to minimize damage in the event of a successful attack. The plan must be in writing, easily accessible even in the event of a complete IT infrastructure outage, and must include a precise definition and categorization of incidents.

The Incident Response Plan must assign specific roles within the team and include a communication matrix for informing management, lawyers, and supervisory authorities. The plan’s effectiveness must be regularly verified through simulated exercises involving IT, the legal department, and management.

Compliance, inspections and sanctions: what online gambling operators face

Supervision of online gambling in the Czech Republic is very strict and divided among several public authorities. Failure to comply consistently with statutory obligations may have serious legal and financial consequences for operators.

Inspections by the Ministry of Finance, the Czech Customs Administration, FAÚ, ÚOOÚ and NÚKIB

An online gambling operator is subject to oversight by several specialized public authorities, each of which monitors a specific area. The Ministry of Finance conducts licensing proceedings, while the Czech Customs Administration carries out direct supervision and verifies compliance with gaming rules and connectivity to the RVO.

The Financial Analytical Office (FAÚ) monitors compliance with AML obligations, ÚOOÚ supervises compliance with GDPR rules, and NÚKIB reviews cybersecurity. These inspections may be scheduled or ad hoc, often triggered by a complaint from a dissatisfied player or competitive pressure.

Typical operator mistakes in practice

The experience of the attorneys at ARROWS advokátní kancelář points to the most common systemic errors that lead to sanctions. These include formalistic compliance, where the operator has prepared internal policies that do not reflect reality and are not known to employees.

Another frequent issue is underestimating supplier risks, in particular the absence or inadequacy of contracts with key IT partners. In addition, systems often do not maintain detailed and protected audit trails, which prevents the operator from proving proper verification in the RVO or investigating an incident.

Sanctions under the ZHH, AML, GDPR and the ZoKB/NIS2

Financial and non-financial penalties for breaches of statutory obligations can have fatal consequences for operators. For serious breaches of the Gambling Act (ZHH), a fine of up to CZK 50 million may be imposed, and in extreme cases the Ministry of Finance may revoke the basic licence.

For breaches of AML regulations, the FAÚ may impose a fine of up to CZK 50 million or up to 10% of total annual turnover. In the event of a serious GDPR breach, ÚOOÚ may impose a fine of up to EUR 20 million or 4% of worldwide annual turnover. Under the new Cybersecurity Act (ZoKB) implementing NIS2, sanctions may reach up to EUR 10 million.

How to structure a compliance programme and governance

Effective protection against sanctions and incidents requires the implementation of a robust compliance programme integrated into corporate governance. Company management must clearly declare compliance as a priority, approve key policies, appoint qualified responsible persons, and ensure they have an adequate budget.

The foundation of a successful compliance programme is regular risk assessment, clear documentation, and interactive employee training. The entire system must be continuously monitored and supported by indisputable audit trails demonstrating that the measures work in practice.

Strategic approach: cybersecurity as part of managing company value in online gambling

Cybersecurity is becoming one of the key factors determining the overall value and stability of a modern gaming business. A proactive approach to data protection represents a clear competitive advantage.

Cybersecurity, reputation and brand value

In the digital environment of online gambling, reputation is the most valuable commodity. Players entrust the operator not only with their funds, but also with highly sensitive personal data and their trust in the fairness of the game. A cybersecurity incident immediately destroys the hard-earned trust in the brand’s value.

Investments in cybersecurity therefore represent a strategic tool for increasing overall company value. A secure gaming environment attracts higher-value players and facilitates partnerships with reputable international providers of gaming content and payment services.

Integrating the legal, technical and business perspective

Effective cybersecurity management requires moving beyond the traditional approach in which IT security, legal compliance, and business management operated in isolation. A strategic approach requires their close integration.

Lawyers and compliance specialists in this structure act as an integrating element, translating complex requirements into clear technical specifications. They help company management make informed decisions with a view to minimizing legal, financial, and reputational risks.

ARROWS advokátní kancelář as a partner for long-term cooperation

The legal and technological environment in online gambling and cybersecurity is evolving at an extraordinary pace. Operators must continuously respond to legislative amendments, new positions of regulators, and the changing spectrum of cyber threats.

ARROWS advokátní kancelář has a team of specialists with deep knowledge of gaming law, transactional business, and the technical aspects of online platforms. Our firm maintains prestigious professional liability insurance with a limit of CZK 400 million, providing our clients with maximum assurance.

Final summary

Cybersecurity in online gambling in 2026 is a highly complex discipline at the intersection of gaming regulation (ZHH), AML regulations, GDPR, and the new Cybersecurity Act (NIS2). Operators face sophisticated attacks and strict oversight by supervisory authorities, which may impose crippling sanctions.

Successfully meeting these requirements requires the implementation of robust technical measures and their integration into internal compliance processes. ARROWS advokátní kancelář is ready to become your long-term partner, helping you build a functional compliance programme, securely set up contractual relationships with suppliers, and guide you through licensing and inspection processes.

FAQ

1. What are the exact financial thresholds for determining whether an operator falls under the new Cybersecurity Act (NIS2)?
The new Cybersecurity Act (ZoKB), in line with the NIS2 Directive, generally applies to entities that provide a regulated service and meet the criteria of a medium-sized or large undertaking—i.e., they employ 50 or more employees, or achieve annual turnover or an annual balance sheet total of at least EUR 10 million (approximately CZK 250 million). However, NÚKIB may, in justified cases, designate even a smaller company as a regulated entity if its service is of fundamental importance to the economy or society in the Czech Republic. For a precise assessment of your obligations, contact us at office@arws.cz.

2. How can the conflict between the obligation to erase data under the GDPR and the obligation to retain it for 10 years under the AML Act be resolved in practice?
This conflict is resolved by the principle of precedence of a specific statutory obligation. The right to erasure under Article 17 GDPR does not apply to the extent that the processing of personal data is necessary for compliance with a legal obligation to which the controller is subject under Union or Member State law (which is precisely the case for retaining transaction and identification data for 10 years under the AML Act). However, once this ten-year period has expired, you must securely erase the data without undue delay.

3. By when do I have to report an incident to NÚKIB, and what happens if I miss the deadline?
If you fall under the new ZoKB, you must report a significant cybersecurity incident to NÚKIB within 24 hours from the moment you became aware of it (the so-called initial warning). If you fail to meet this deadline without an objective reason, you commit an administrative offence, with the risk of a high fine imposed by NÚKIB (up to millions of euros or a percentage of turnover). In addition, a delay prevents effective coordination of defence at the national level in the Czech Republic.

4. Is it necessary to enter into a data processing agreement (DPA) also with an external auditor or a law firm?
As a rule, no. Law firms (including ARROWS) and certified auditors, when providing their services, typically act as independent controllers of personal data rather than as your processors, because they themselves determine the purposes and means of data processing in accordance with their professional legislation (the Czech Advocacy Act and the Czech Auditors Act). Therefore, a personal data processing agreement under Article 28 GDPR is not concluded with them; however, the general information obligations towards data subjects must be met and data protection ensured on the basis of the statutory duty of confidentiality.

5. What exactly must the Panic Button system contain from a personal data protection perspective?
Activation of the Panic Button results in the processing of highly sensitive data indicating that the player has decided to immediately interrupt participation in the game (which may indicate a gambling problem or addiction). Information about the activation of the Panic Button, the blocking of the account for 48 hours, and the submission of an intermediated request for entry in the RVO must be stored in a secure database with strictly limited access only for selected compliance employees. Under no circumstances may this data be misused for marketing purposes (e.g., sending offers after the 48-hour period)—such conduct would constitute a serious breach of the GDPR and the ZHH.

6. How often must employee training in AML and cybersecurity be carried out, and what form is recommended?
Under the AML Act, training must take place at least once a year; for cybersecurity (ZoKB/NIS2), regular education proportionate to the risks is required. A mere e-learning presentation with a formal test is often viewed by regulators as insufficient. We recommend combining an interactive explanation (a lecture with practical examples) with practical simulations (e.g., a controlled phishing test with immediate feedback for employees who make mistakes). All training sessions must be evidenced by a detailed written record including the names of participants, the date, the training content, and the instructor’s signature.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: