If you build games or run an aggregator and you’re trying to sell to licensed operators, you hit the same wall everyone does: nobody integrates you until you can prove two things — that your information security is solid, and that your games are demonstrably fair. This guide breaks down the certifications that prove both: what each one covers, when you actually need it, and the order they usually come in. It’s written for studios, aggregators and B2B platform providers, not for end operators.
Two layers of certification
It helps to separate two layers. The management layer is about how your company is run — information security, quality, business continuity — and is certified through accredited certification bodies. The gaming layer is about whether your specific games and systems are fair and compliant, and is certified through independent test labs. Operators and regulators look at both, and the two are reached by different routes.
Layer 1 — management-system standards (the ISO stack)
ISO/IEC 27001 — Information Security (the must-have). ISO 27001 certifies how your company manages information security — not a single product. It is the de-facto baseline for B2B integrations: large operators increasingly expect it from suppliers, and it has become a common procurement gate. Certification runs on a three-year cycle with annual surveillance audits and recertification before renewal, so it evidences sustained security maturity rather than a one-off check.
ISO 9001 — Quality Management. Demonstrates consistent service quality and operational reliability. It’s frequently requested in tenders and by regulated lottery operators.
EU-market add-ons. Depending on your markets and partners, several extensions become relevant: ISO/IEC 27017 and 27018 (cloud security and cloud personal-data protection), ISO/IEC 27701 (privacy management, useful for evidencing GDPR alignment), ISO 22301 (business continuity, increasingly relevant as regulators emphasise operational resilience), and ISO 37001 (anti-bribery) in stricter jurisdictions. These are added when a specific market or operator calls for them — not by default.
Layer 2 — gaming-specific certification (GLI, RNG, eCOGRA)
GLI-19 vs GLI-33. Both come from Gaming Laboratories International and are widely regarded as the gold standard. The distinction is simple: GLI-19 (Interactive Gaming Systems) covers online casino and remote game servers, while GLI-33 (Event Wagering Systems) covers sportsbook and betting. Casino studios typically need GLI-19; sportsbook providers need GLI-33; providers offering both usually need both.
RNG certification. Proves that game outcomes are genuinely random and fair. It’s a non-negotiable for casino content and is issued by accredited independent labs such as GLI, BMM, eCOGRA and iTech Labs.
eCOGRA. Independent fairness and RTP certification, often expected by operators and recognised by players.
WLA-SCS / WLA Safer Gambling. World Lottery Association standards — relevant if you sell to lottery operators.
The cross-jurisdiction advantage. Because many regulators base their technical rules on GLI-19/GLI-33, a certification to those standards can be recognised across the jurisdictions that adopt them, with only a reduced delta test for local specifics. This is the single biggest accelerator for multi-market expansion.
How jurisdiction requirements stack up
ISO 27001 isn’t formally mandatory everywhere, but it’s increasingly a de-facto requirement, and some regulators reinforce it directly. Greece requires licence holders to hold accredited ISO 27001 certification; Denmark waives certain security-audit requirements for operators that are ISO 27001 certified. More broadly, European regulators are placing growing emphasis on operational resilience and information-security management, which is why ISO 27001 and ISO 22301 are gaining weight on the European side.
The obligatory list also differs by target market — MGA Malta, Curaçao, Romania’s ONJN and others each combine ISO and GLI requirements differently. If you’re weighing specific jurisdictions, this is exactly where a roadmap pays off.
A practical starter set
For a new B2B provider the baseline is usually ISO/IEC 27001 + GLI-19 or GLI-33 + RNG certification, with ISO 9001 and the privacy stack (27701/27018) added as specific markets and partner operators require. Think of it as a sequence, not a shopping list.
How they fit together
A realistic path for a casino-games studio that has just secured an offshore licence looks like this: ISO 27001 first, to unblock operator procurement; then GLI-19 and RNG, to unblock technical integration and go-live; then ISO 27701 or eCOGRA as EU operators come on board. The licence itself is the prerequisite step — most providers reach this stage right after securing an Anjouan gaming licence or a Curaçao licence.
If you’d rather not manage this stack in-house, we coordinate the entire certification roadmap end to end — see our iGaming certification service.
Frequently asked questions
What certifications does a game provider need to start?
The common baseline is ISO/IEC 27001 (information security), GLI-19 or GLI-33 (system certification for casino or sportsbook), and RNG certification (fairness). ISO 9001 and privacy certifications (ISO 27701/27018) are added as specific operators and markets require them.
Is GLI certification mandatory?
It’s mandatory in practice for most regulated markets, because a large share of regulators base their technical requirements on GLI standards. Certifying to GLI-19/GLI-33 also lets you enter new jurisdictions faster, since labs run a reduced delta test rather than a full re-evaluation.
What is RNG certification and who issues it?
RNG (random number generator) certification proves that game outcomes are genuinely random and fair. It’s issued by accredited independent test labs such as GLI, BMM, eCOGRA and iTech Labs.
Do I need ISO 27001 if I already have GLI certification?
They cover different things. GLI certifies your gaming systems; ISO 27001 certifies how your company manages information security. Large operators increasingly expect both before integrating a supplier.
GLI-19 or GLI-33 — which one do I need?
GLI-19 is for interactive gaming systems (online casino, remote game servers). GLI-33 is for event wagering systems (sportsbook). If you offer both casino and betting products, you’ll likely need both.
Find out how to protect your business.
Get valuable legal advice for your startup or IT project to avoid risks and focus on growth.
This article is for general informational purposes only and is not legal, tax, or financial advice. Consult a qualified professional before acting. Editorial Policy.
