MGA Technical Standards and GLI-19: How Certification Maps for Malta Licensing
GLI-19 certification covers significant ground for MGA applicants, but Malta's principles-based framework demands more. Map exactly where the two regimes align and where gaps remain.
For game suppliers and B2B licensees preparing an MGA application, the first technical question is almost always the same: does GLI-19 certification satisfy Malta’s requirements, and if so, to what extent? The short answer is that a GLI-19 v3.0 certificate from an appropriately accredited independent testing laboratory resolves the game-integrity and RNG compliance question for MGA purposes. It does not resolve the infrastructure, cloud architecture, or regulatory data obligations, which are governed by a parallel set of MGA-specific instruments that GLI-19 was never designed to address.
Understanding where the two regimes align, and where they diverge, is the practical task this article addresses. The analysis draws on the MGA’s Technical Infrastructure Guidelines for Remote Gaming (December 2015, v1), the Gaming Authorisations and Compliance Directive (Directive 3 of 2018, updated October 2021), the Player Protection Directive (Directive 2 of 2018), and GLI-19: Standards for Interactive Gaming Systems v3.0 (revised July 17, 2020).
The MGA’s Principles-Based Approach to Technical Standards
The MGA does not operate a prescriptive, standard-by-standard certification regime in the manner of some North American regulators. Its Technical Infrastructure Guidelines state explicitly that the Authority’s “principles-based approach is being complemented by the identification of accepted industry standards that the MGA considers to meet its compliance requirements.” Deviations from those accepted standards are permissible where the Authority is satisfied that appropriate risk mitigation is in place.
This matters for how GLI-19 sits within the framework. The MGA does not formally adopt GLI-19 as a mandatory prescribed standard. Instead, GLI-19 certification is treated as strong evidence that an applicant’s interactive gaming system meets the Authority’s regulatory objectives, in particular integrity, security, and game fairness. The acceptance is outcome-driven rather than standard-driven, which gives the Authority flexibility to evaluate systems on a risk-proportionate basis but also means that a GLI-19 certificate is not, by itself, a compliance checklist item that can be ticked and set aside.
“The acceptance and approval of a particular proposal will be largely dependent on an assessment of the risks posed. In view of this, and subject to mitigation measures that are adopted, deviations from these standards will also be considered.”, MGA Technical Infrastructure Guidelines (December 2015, v1)
Source: Malta Gaming Authority, Technical Infrastructure Hosting Gaming and Control Systems, Remote Gaming Guidelines, December 2015, v1.
What Does GLI-19 v3.0 Actually Cover?
GLI-19 v3.0, published July 17, 2020, is Gaming Laboratories International’s primary standard for online and interactive gaming platforms. Its scope encompasses the complete technical stack of a conventional remote gaming operation, from server-side game logic through to the player-facing interface. Compliance professionals need to understand what the standard covers in depth before mapping it to MGA obligations. The GLI Certification hub provides a broader overview of the full GLI standards family and how individual standards fit into the certification process across jurisdictions.
Chapter 3 of GLI-19 addresses Random Number Generator requirements in the greatest detail of any chapter in the standard. The independent test laboratory must review source code for all core randomness algorithms, scaling algorithms, and shuffling algorithms. Statistical analysis is performed at a 99% confidence level, and tests include total distribution and chi-square tests, independence tests, and a range of additional tests chosen by the laboratory on a case-by-case basis. Hardware-based RNGs must have dynamic output monitoring that disables game play when malfunction is detected. Software-based RNGs must resist state compromise extension attacks by periodically modifying their state through external entropy.
Chapter 4 covers Game Requirements, including return to player calculations, game payout percentages, virtual event wagering, and live game requirements. For live games, the standard requires that the entire process be viewable by players through real-time audio and video, that all login events involving live game equipment be logged, and that equipment storage media be securely overwritten before disposal or re-use. Chapter 2 governs account management: player authentication, multi-factor authentication for financial transactions, limitations and exclusions at the system level, and financial transaction logging. The information security requirements in Appendix B address third-party service provider communications, requiring encrypted and strongly authenticated connections, segregated network segments for third-party data, and prohibition on routing data packets to player-facing network segments.
GLI-19 also acknowledges its own scope limits. The standard notes that certain operational matters are intended to fall within operational audits performed for local jurisdictions rather than within laboratory testing. This is precisely the boundary where MGA-specific obligations begin.
The Test Laboratory Accreditation Question
Before mapping GLI-19 coverage to MGA requirements, it is necessary to establish whether GLI itself qualifies as an approved testing laboratory under Maltese regulatory instruments. Directive 2 of 2018 defines “Testing Lab” as “an independent testing lab accredited within a Member State of the European Union or a Member State of the European Economic Area or any other jurisdiction or territory approved by the Authority or recognised by the Authority as having the required accreditation to issue a certificate.”
GLI holds laboratory accreditations in multiple jurisdictions and operates testing facilities across Europe. Notably, GLI-19 v3.0 itself acknowledges the Lottery and Gaming Authority, Malta (the MGA’s predecessor) among the regulatory bodies whose documents were reviewed in developing the standard, a clear indication of the long-standing relationship between GLI’s technical framework and the Maltese regulatory environment. The MGA maintains a Recognition Notice Register, and applicants should verify current lab approval status through that register before committing to a specific testing engagement, as recognition is subject to ongoing review.
The Directive 2 of 2018 provision also gives the Authority discretion to require a testing lab certificate: “The Authority may require a licensee or an applicant for a licence to submit a certificate issued by a testing lab certifying compliance with this Directive.” In practice, this is standard for B2B game providers and B2C operators hosting their own gaming systems, particularly where RNG-dependent games are involved.
How GLI-19 Maps to MGA’s Four Regulatory Objectives
The MGA Technical Infrastructure Guidelines organise their requirements around four regulatory objectives. The mapping below identifies which elements of each objective GLI-19 certification addresses and which remain entirely outside its scope.
| MGA Regulatory Objective | Covered by GLI-19 v3.0 | Outside GLI-19 Scope (MGA-Specific) |
|---|---|---|
| Integrity and Security | RNG integrity, source code review, game outcome independence, information security controls, change management for gaming systems, malfunction detection | Network schematic submission, hardware IP declarations, server location documentation, firewall and router specifications, physical premises security assessment |
| Availability, Traceability and Accessibility | Audit file logging for all significant events, jackpot records, alteration reports, transaction logs at system level | Real-time regulatory data mirror server, MGA real-time access to live information, accessibility during investigations across cloud environments |
| Privacy and Confidentiality | Player data handling within the interactive gaming system, access controls, authentication credentials management | GDPR compliance under Maltese and EU law, player data governance frameworks beyond gaming system boundary, data protection impact assessments |
| Accountability | Operator responsibility obligations within the standard’s operational sections, system-level documentation requirements | Full regulatory accountability remains with the licensee at all times, with no transfer to suppliers, white-label providers, or cloud service operators regardless of their certification status |
Essential Components: The MGA’s Specific Framework
Directive 3 of 2018 defines “essential components” with precision. They comprise components hosting RNGs, components hosting jackpots, components hosting games, the gaming database, the player database, the financial database, the control system, and any other component the Authority may designate as critical. This definition is broader than GLI-19’s own concept of critical control program components, which focuses primarily on systems generating, transmitting, or processing random numbers and storing the current state of player wagers.
Under the relevant provision of Directive 3 of 2018, licensees must ensure that essential components are subject to additional safeguards to minimise risk. The hardware forming part of the key technical setup may only be located in premises that adhere to a high level of information security, and the Authority considers that such premises should conform to the latest industry standards. For cloud environments, the Technical Infrastructure Guidelines are more specific: critical components must be hosted on a private cloud environment not shared with other tenants. Virtual private cloud environments are permissible only where the Authority is satisfied that integrity and security are not at risk.
The real-time mirror server obligation is among the most operationally demanding MGA-specific requirements. The relevant provision of Directive 3 of 2018 requires licensees to maintain a live or real-time mirror server for essential regulatory data that must be readily accessible to the Authority at all times, including by means of physical access where applicable. GLI-19 has no equivalent requirement: the standard addresses logging and audit file maintenance within the gaming system, not the provision of a dedicated regulatory data feed to a supervisory authority.
“The responsibility for the attainment of the established and desired standards on these regulatory principles will remain that of the licensee at all times.”, MGA Technical Infrastructure Guidelines (December 2015, v1)
Information Security: Where GLI-19 and MGA Standards Intersect Most Directly
The MGA Technical Infrastructure Guidelines reference ISO/IEC 27002:2013 as the information security standard that cloud service providers should follow when implementing their Information Security Management System. For payment card data, the Guidelines specifically require PCI DSS Level 1 certification. These explicit standard references create parallel certification tracks that exist alongside, not below, any GLI engagement.
GLI-19 Appendix B covers information security in substantial depth. Requirements address mobile computing security (telecommuting prohibited except where endpoint security is guaranteed), third-party service provider communications (encrypted channels, authenticated connections, segmented networks), and access controls at both the administrative and player levels. The Appendix B controls overlap meaningfully with ISO/IEC 27002:2013 domains, as both address access management, communications security, and operational procedures, but they do not replace an ISO 27001 management system certification or a formal ISO/IEC 27002 implementation review.
In practice, a licensee relying on GLI-19 for information security coverage will need to demonstrate separately that its hosting environment either holds ISO 27001 certification or has undergone an equivalent assessment. The MGA Compliance Audit Manual (MGA/G/001) confirms this layered approach: auditors are required to verify that licensees have implemented information security management policies consistent with the standards referenced in the Technical Infrastructure Guidelines, in addition to any game-level certification obtained through an independent testing laboratory.
Practical note: Hosting locations certified under ISO 27001 and ISO/IEC 27002:2013 accelerate MGA application processing. The Technical Infrastructure Guidelines state that “hosting locations that are certified as per the above standards will facilitate the processing of an application.” PCI DSS Level 1 certification is required where payment card data is stored or processed.
The B2B Supplier Position: Game-Level vs System-Level Certification
The certification mapping differs materially depending on whether the applicant is a B2C operator running its own gaming platform or a B2B licensee supplying critical gaming supply (game content, platform technology, or other critical components) to B2C operators. For B2B suppliers, the practical scope of GLI-19 certification is narrower and more directly relevant to their regulatory obligation.
Under the MGA’s framework, a B2B licensee that provides a critical gaming supply, defined in the Gaming Authorisations Regulations as the first category of critical gaming supply, is responsible for the game-level technical compliance of the products it supplies. Where the B2C licensee’s games are hosted and managed by an approved B2B licensee, the B2B licensee may fulfil the B2C operator’s obligation to monitor average RTP under Directive 2 of 2018. In this context, GLI-19 game certification provides direct compliance value: it demonstrates that the RNG and game logic meet the Authority’s standards and, depending on the Authority’s specific requirement, may satisfy the testing lab certificate obligation under Directive 2.
However, the MGA’s FAQs on its Licensee Portal confirm that games supplied by providers not licensed by the MGA or a competent authority within the EU/EEA cannot be offered on an MGA-licensed website, even if those games carry GLI-19 certification from an accredited laboratory. The game provider itself must hold appropriate authorisation. A GLI certificate alone does not substitute for the provider’s own MGA or EU/EEA licensing status. Certification confirms technical compliance, it does not confer regulatory authorisation.
Change Management: A Gap Where MGA Obligations Exceed GLI-19
GLI-19 addresses change management within the gaming system context, requiring operators to document and follow system procedures including malfunction investigation and resolution processes. GLI’s standalone Change Management Program Guide (v1.0) expands on these obligations for jurisdictions that adopt formal change management programmes.
The MGA operates its own change management framework with specific procedural requirements. The Compliance Audit Manual requires auditors to obtain copies of the Change Management Procedure, verify that changes have been approved in accordance with that procedure, and review records evidencing changes in software, hardware, and network configuration. Separately, licensees must submit a Technical Change to Key Essential Components application through the MGA Licensee Portal for any modifications to essential components, with the Authority tracking request status in real time.
This two-track change process, covering internal change management documentation audited against the MGA’s procedure requirements plus a formal application to the Licensee Portal for essential component changes, has no direct equivalent in the GLI-19 framework. Compliance teams building change management processes for MGA-licensed operations must therefore design their procedures against the MGA’s own requirements, using GLI guidance as supplementary input rather than as the primary reference.
What GLI-19 Certification Leaves for Operators to Address
A GLI-19 v3.0 certificate from an MGA-recognised laboratory leaves the following obligations entirely unaddressed, each requiring separate compliance action under the MGA’s regulatory framework.
Network infrastructure documentation must be submitted to the MGA in the form of a complete network schematic showing all hardware, virtual machines, internal IP addresses, and the geographic locations of all premises hosting gaming systems, control systems, and regulatory data. This obligation applies at the application stage and must be kept current throughout the licence period.
The real-time regulatory data mirror server must be maintained and made accessible to the MGA on a continuous basis. Where infrastructure is located outside Malta, including in cloud environments, this accessibility obligation is more demanding, and the Technical Infrastructure Guidelines acknowledge the jurisdictional access issues that can arise.
The private cloud requirement for essential components means that licensees using shared cloud infrastructure must restructure their hosting architecture before applying. Public cloud tenancy shared with other operators is not permissible for RNG hosts, jackpot servers, the gaming database, the player database, or the financial database.
Player protection and responsible gambling controls, including self-exclusion system integration, deposit and loss limit implementation, reality checks, and cooling-off periods, are governed by Directive 2 of 2018 and are assessed separately from any infrastructure or game certification. GLI-19 includes system-level requirements for limitations and exclusions at the platform level, which provide a relevant technical baseline, but the MGA’s player protection obligations extend well beyond what a laboratory can certify through a product assessment.
“Games, and/or their providers, which are not licensed by the MGA or a competent authority within the EU/EEA, but licensed and offered under the purview of other jurisdictions outside the EU/EEA, on the same website as the MGA-licensed operations, are not permissible.”, MGA Licensee Portal FAQs
Comparison with Other Jurisdictions
The MGA’s acceptance-based approach to GLI-19 contrasts with more prescriptive regimes. The Netherlands Kansspelautoriteit (KSA), for example, operates a Gaming System Assessment Scheme (v2.1) under which designated assessment bodies must hold specific ISO/IEC 17020 Type A accreditation and assessment personnel must carry CISSP or equivalent information security credentials. The KSA scheme designates which components each accredited body is permitted to assess. The MGA does not operate an equivalent component-level designation system, it accepts certifications from accredited laboratories within the broader framework and evaluates specific technical architectures on a risk-proportionate basis.
Operators already holding MGA licences and seeking entry into other European markets, particularly where compliance teams are familiar with GLI-19 as the primary certification reference, will find that the MGA’s infrastructure obligations represent a more demanding layer than many other EU jurisdictions require at the certification stage. The real-time data mirror, private cloud mandate, and network schematic obligations are substantive operational commitments, not merely procedural documentation exercises. Operators considering how licence choices affect overall compliance cost should weigh these infrastructure obligations alongside the direct licence cost comparison between the UKGC and MGA, which covers the compliance contribution and audit fee structures that apply to MGA licensees.
Practical Certification Strategy for MGA Applicants
Compliance teams structuring a certification programme for MGA entry should treat the engagement as three parallel workstreams rather than a single sequential process.
The game and system certification workstream engages an MGA-eligible independent testing laboratory for GLI-19 v3.0 assessment of all relevant interactive gaming systems, including RNG statistical testing, game logic review, account management controls, and information security at the system boundary. This is where GLI-19 does its primary work for MGA purposes. For B2B game suppliers, this workstream is substantially self-contained. For readers seeking a detailed comparison of GLI-19 against GLI-33 for event wagering products, the standard selection analysis addresses that decision in depth.
The infrastructure and hosting workstream addresses the MGA Technical Infrastructure Guidelines independently of GLI. This involves preparing the network schematic, selecting hosting premises that conform to ISO 27001 and ISO/IEC 27002:2013, confirming that essential components are on private cloud infrastructure, establishing the real-time regulatory data mirror, and obtaining PCI DSS Level 1 certification for any payment card data environments. None of these steps require GLI involvement, and none are resolved by GLI-19 certification.
The essential components change management workstream establishes the internal procedure required under the MGA Compliance Audit Manual and configures access to the MGA Licensee Portal for Technical Change to Key Essential Components applications. This workstream runs permanently alongside licensing and is subject to audit review at each compliance audit cycle.
Operators managing the intersection of these workstreams against application timelines, and against parallel licence obligations in other jurisdictions, should consult qualified Maltese legal counsel and an experienced technical compliance adviser before submitting. The MGA’s acceptance of GLI-19 removes the need to engage with an entirely separate technical certification framework, but it does not reduce the compliance burden to the GLI engagement alone. The infrastructure obligations in Directive 3 of 2018 and the Technical Infrastructure Guidelines are substantive and, for operators running distributed cloud architectures, operationally demanding. Understanding the boundary between what GLI-19 resolves and what the MGA requires independently is the foundation of a credible application.
For a broader overview of the MGA’s licensing framework, including B2B and B2C licence types, the compliance contribution structure, and the Authority’s current supervisory priorities, the MGA system audit requirements analysis provides the corresponding operational documentation perspective that this certification mapping complements.
Key Resources
MGA Technical Infrastructure Hosting Gaming and Control Systems, Remote Gaming (December 2015, v1), the primary guidance document for infrastructure compliance, available through the MGA Guidance Notes page.
Gaming Authorisations and Compliance Directive (Directive 3 of 2018, V2 October 2021), governs essential components, key technical setup, change management applications, and the real-time mirror server obligation under the Gaming Act (Cap. 583 of the Laws of Malta).
Player Protection Directive (Directive 2 of 2018), defines the Testing Lab requirement, RTP monitoring obligations, and the Authority’s power to require testing lab certificates from licensees and applicants.
GLI-19: Standards for Interactive Gaming Systems v3.0 (July 17, 2020), the Gaming Laboratories International standard covering RNG requirements, game logic, account management, information security at system level, and live game requirements, available from gaminglabs.com.
MGA Compliance Audit Manual (MGA/G/001) (August 2018, v1), sets out mandatory audit procedures for network infrastructure, user management, incident response, change management, and gaming operations, available through the MGA Publications page.
Source: Malta Gaming Authority, Gaming Authorisations and Compliance Directive (Directive 3 of 2018), V2 October 2021, Part III, Player Protection Directive (Directive 2 of 2018), the relevant testing lab provision, Technical Infrastructure Guidelines (December 2015, v1), Sections 2, 3, GLI-19: Standards for Interactive Gaming Systems v3.0, July 17, 2020, Chapters 2, 4 and Appendix B.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.