New Italian Online Gambling Technical Guidelines – What’s New In The certification Requirements?

The Italian Gambling Authority (“ADM“) has issued new draft guidelines for the certification of online gaming platforms (“Guidelines“), outlining the technical rules and procedures relevant to activate gaming platforms under the new Italian online gambling license.

Intended as a reference for both certification bodies and license holders, the Guidelines cover critical areas including IT infrastructure, software architecture, data governance, and access management. Below is a summary of the most notable changes introduced.

As a general comment, the guidelines grant considerable new obligations to certification bodies that will be responsible not only of technical verifications but also to assess the compliance of Italian licensed gambling platforms with the applicable requirements. This means that certifications might have to be substantially more detailed and time consuming.  Below is a summary of the most relevant changes:

The introduction of the concept of Italian gambling operator’s system and the check on the legal compliance

The operator’s system is defined in the unified nomenclature of definitions as the “IT environment that includes one or more gaming systems and the operator’s gaming account system“. In particular, among the components of the operator’s system, the following must be clearly identified:

• Each gaming system;
• Each gaming platform;
• Each gaming application;
• Each game acceptance system;
• The game offering presentation system (website and/or app);
• The operator’s gaming account system.

In addition to the components listed above, the system for automated software integrity verification and the various hardware and software groups involved in each functionality concerning must also be clearly identified. Each component of the operator’s system must be pre-verified and validated through visual inspections, functionality tests, and source code inspection, possibly with the assistance of documentation provided by the manufacturer.

The technical compliance verification must ensure both the correct and compliant use of the operator’s system components and the continuous adherence – also from a pure legal perspective – to the technical regulations in the interactions between them, also considering all possible configurations during the exchange of information between the operator’s system components and ADM’s centralized control system.

These check include also the verification of the location of the technical infrastructure while in the past there was a mere self declaration by the operator.

Enhanced disaster recovery requirements and malfunctioning requirements

The Guidelines places stronger emphasis on business continuity. Operators must have in place a comprehensive disaster recovery plan, ensuring – among others – real-time backup and mirroring at a secondary site. Further, it shall be demonstrated that data replicated at the secondary site are functional and capable of ensuring uninterrupted gameplay.

As for malfunctions, the procedures differ based on the specific type of game. Specifically:

Virtual Games:

• Open events during a malfunction must be canceled with full refunds. In multiple bets, canceled odds are excluded from winnings.
• Closed events must continue post-recovery, even without display. Results must still be reported.
• Multi-events and tournaments with canceled virtual events are fully canceled and refunded. No new events can be added to affected tournaments.
• The system must resume only upcoming events after recovery, and protocols must allow data recovery and proper reporting.

Skill Games, Casino and Card Games and Bingo:

• If play continues, the operator must fix issues promptly.
• If play is blocked, integrity checks must be performed, ADM and players notified, and full refunds issued.

Integrity Verification:

• Ensure data is saved properly, interrupted games are resumed or restored, and if not, refunds are provided.

Limitations in case of usage of cloud infrastructure by Italian licensed online gambling operators

Cloud computing solutions can only be used if:

• all resources are hosted within the European Economic Area (EEA);
• the cloud provider is qualified according to the requirements of the Italian digital authority (AGID) and the Italian cybersecurity authority (ACN), making it eligible for use by public administrations under the Italian regime for the provision of cloud computing services to public administrations.

This means that Italian licensed online gambling operators can use only cloud providers that are enrolled in the dedicated registry of ACN and whose compliance with AGID and ACN’s requirements has been verified.

Stricter player self-limitation measures and in-session alerts

Self-limitation remains mandatory but becomes more stringent. In particular, upon account activation, players must set limits that cannot initially exceed:

• 3 hours of gameplay per day;
• €100 daily spending limit;
• € 200 daily top-up limit.

Operators must implement real-time alerts that notify users once they reach:

• 1 hour of gameplay, or
• €100 in spending.

Italian gambling site’s domain name ownership and mobile apps

The domain name used for the gaming site – which shall have the Italian extension “.it” – must be registered directly under the license holder’s name. Licensing or third-party registration, even within corporate groups, is not permitted. License holders are fully responsible for managing any mobile apps related to their games. Such Apps must function properly, be aligned with the central system and comply with the same standards as the web platform. This requirement is a considerable problem for large groups where IP rights are held in a single entity to the benefit of the whole group.

Platform sharing

When a license holder hosts gaming systems for other operators, the license holder will acquire the position of “service provider license holder”. When acting as service provider license holder, the latter shall guarantee that the gaming systems must be logically or physically separated. It must always be possible to isolate data related to each individual operator.

RNG validation

Random Number Generators (RNGs) are now subject to stricter requirements. In particular, among others:

• confidence level raised from 95% to 99%;
• new statistical tests to assess causality, statistical independence, equal probability, non-reproducibility, and unpredictability.

Data storage and real-time Reporting

Operators must implement robust data governance protocols, ensuring:

• Real-time access to all gameplay and operational data from the last 6 months;
• On-demand availability of all accounting and transaction data for at least 2 years;
• Five-year archival of all data, ensuring integrity, readability, and secure accessibility throughout the retention period;
• Capability to execute custom queries across stored datasets, with exportable results delivered within 48 hours of the request.

Further, operators are required to generate and deliver, within 48 hours:

1. A complete list of all player accounts as of a specific date, including account status (active, suspended, closed, etc.) and associated player details;
2. A report highlighting accounts that exceed predefined thresholds for deposits, withdrawals, or winnings within a selected timeframe, based on customizable parameters set by the operator.

Automated systems and Artificial Intelligence in gameplay

In games where outcomes may be influenced – fully or partially – by automated decision-making systems, algorithms, or external computing tools (e.g., artificial intelligence in chess or virtual betting advisors), operators are required to explicitly disclose the presence and function of such systems in the game rules before game participation, in order to provide players with the necessary context to make an informed choice about whether to engage in the game. This is something totally new, but the usage of AI in the gambling sector is exponentially expanding also for responsible gaming verifications.

Multi-Factor authentication (MFA)

User sessions must only be opened after multi-factor authentication (MFA), involving:

• credential input;
• a second layer of verification, chosen by the operator (e.g., OTP, biometric, push notification).

Jackpot certifications

The guidelines mention that for gaming systems used in “gaming network” mode – where multiple operators share a platform – no logical or physical separation is required. This allows wagers from different operators on the same platform. However, the guidelines do not specifically address network jackpots or network games, which could imply restrictions or future updates.

Additionally, there is uncertainty regarding the certification process for shared platforms within the systems of multiple operators. It is likely that ADM will introduce new rules for certification procedures, updating previous guidelines that currently allow platform cross-referencing and certifications through the network leader.

Transition to the new system

License applicants awarded new licenses may reuse components previously certified or approved by ADM under the old regime, provided they have already passed conformity checks. Only the integration of these components must be verified, simplifying the transition. This option is valid until the term for activating the platform complying with the Guidelines.

These new Italian online gambling guidelines mark a decisive shift toward higher operational standards, aimed at improving system integrity, regulatory alignment, and player protection which translate in considerable new obligations for operators. A large number of provisions of the guidelines remain unclear and it is possible to submit comments to the draft Italian online gambling guidelines by 15^th April 2025. Such aspect is paramount during a period when entities are applying for new Italian online gambling licenses, and on the matter you can read this article New Tender for Italian online gaming licenses Launched – Here are the updated FAQs!

Authors: Vincenzo Giuffrè and Federico Toscani