Online Gaming And Cybersecurity Tips For Providers

Author:Mr Giangiacomo Olivi, Fabia Cairoli and Valeria Schiavo

The online gaming industry is a relatively new industry but it is one of the most dynamic due to the continuous technological innovation. The number of households with connected games is steadily increasing; however, with the increase in popularity of the online gaming industry, there has also been an increase in cyberattacks. This raises a number of concerns with regard to the need to protect the integrity of networks and information exchanged by online gamers, which are often unaware of the cyber risks. In this respect, online gaming operators (hereinafter, referred to as "Providers", also including, as the case may be, developers and distributors) need to adopt and implement appropriate IT security measures in compliance with European legislative standards and obligations on cybersecurity in order to prevent cyberattacks.

The legal framework: from the NIS Directive to the Cybersecurity Act The European legislative framework on cybersecurity has recently been updated. As already discussed in our previous article European cybersecurity standards and their implementation within the Italian legislative framework, the most relevant European legislation on cybersecurity is Directive no. 2016/1148/EU (the "NIS Directive" or the "NISD"), implemented in Italy through Legislative Decree no. 65/2018. The NISD imposes a number of obligations upon operators of essential services as well as upon providers of digital services (such as Providers) with regard to the need to adopt appropriate technical and organizational measures to prevent IT incidents. In addition, such entities have an obligation to notify the competent authorities or the appointed national Cyber Security Incident Response Team (also known as CSIRT) without undue delay, in case of any incident with a substantial impact on the provision of the service.

Moreover, European institutions, in their effort to develop new strategies aimed at strengthening the security of networks and information systems, have recently approved new legislation: Regulation no. 2019/881/EU (the "Cybersecurity Act"). The Cybersecurity Act provides for a detailed EU scheme for the certification of ICT products and digital services in order to evaluate the security level of such products or services. To evaluate the cybersecurity risk of a certain product, service or process, a certificate refers to three possible levels of risk (i.e. basic, substantial, high), in light of the likelihood and severity of a...

To continue reading