lagen.
SIFS 2022:3

SIFS 2022:3

Utgivare
Spelinspektionen

Källa

Version 1.1

May 2025 1

Introduction

This document details the guidelines for the Swedish Gambling Authority’s regulations and general advice ( ) on technical requirements and accreditation of bodies for control, testing and certification of gambling service providers, and for Chapters 1 and 4 of the Swedish Gambling Authority’s regulations and general advice (LIFS 2018:4) on state lotteries and lotteries for matters of public interest. The Swedish Gambling Authority introduced certain amendments to LIFS 2018:4 through the regulation 'Föreskrifter om ändring i (2024:2) Lotteriinspektionens föreskrifter och allmänna råd LIFS 2018:4 om statligt lotteri och lotteri för allmännyttiga ändamål. This guideline replaces previous editions.

A full-text version with all amendments incorporated into the original regulation can be found in 'Konsoliderad version av LIFS 2018:4 inklusive ändring enligt SIFS 2024:2. 1

These guidelines aim to clarify the regulations and provide help for those intending to apply for a licence, as well as those intending to apply for accreditation to inspect, test and certify gambling service providers.

The guidance text is written in boxes next to the specific provisions. To clarify for the accredited body which requirements should be inspected, tested, or certified, these requirements are highlighted in bold in the guidance (see below LIFS 2018:4 and Chapters 7- 15 in ). Unlike Chapters 1-6 in , the provisions in Chapters 7-15 of SIFS 2022:3 are specific to gambling. Information that should be included in game rules or that should be registered or documented is something that the license holder should do and is part of the Swedish Gambling Authority's supervisory responsibility.

Appendix 1 contains background information for those who want to apply for accreditation according to Chapters 2-3 of .

The Swedish Gambling Authority will approve reports from accredited organizations that are issued according to LIFS 2018:8 and reports from accredited organizations that have LIFS 2018:8 within their scope of accreditation until December 31, 2023.

Please note that this is an unofficial translation. In case of any discrepancies between the English version and the original Swedish version the latter will prevail. Also, note that this document has been compiled for informational purposes. The only authoritative version of the regulation is the version in Swedish as published according to Swedish rules. Always compare the regulation texts with the printed versions of the regulations.

1 Lotteriinspektionens föreskrifter och allmänna råd (LIFS 2018:4) om statligt lotteri och lotteri för allmännyttiga ändamål;

The Swedish Gambling Authority's regulations and general advice on technical

requirements and accreditation of bodies for the control, testing and

certification of gambling activities ( );

adopted on 2 December 2022.

The Swedish Gambling Authority provides the following on the basis of Chapter 16, Section 1 3, Section 9 and Section 10(7) of the Gambling Ordinance (2018:1475) and decides the following general advice.

The assessment must be carried out by a body accredited for this purpose in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93. In Sweden, the accredited body is the Swedish Board for Accreditation and Conformity Assessment (Swedac).

Anyone applying for a licence to provide gambling must fulfil the requirements set out in these regulations. In addition to the regulations, the applicant must also meet the requirements set out in the Gambling Act (2018:1138), the Gambling Ordinance (2018:1475) and other regulations of the Swedish Gambling Aut hority. The applicant’s technical equipment must be assessed before it can be used in the gambling operation.

Chapter 1 Scope

Section 1 These regulations and general advice apply to applicants to be accredited to carry out the inspection, testing and certification of gambling activities and to applicants for a licence to conduct gambling activities as well as to those who are licensed under the Gambling Act (2018:1138). The Swedish Gambling Authority may decide on exemptions from the regulations, if this is justified from a safety point of view and otherwise does not pose any risks to the player. The regulations and general guidelines do not apply to: 1. land-based casino in dedicated premises pursuant to Chapter 5, Section 1 of the Gambling Act, 2. video lottery terminals in accordance with Chapter 5, Sections 7-8 of the Gambling Act, 3. lotteries in accordance with Chapter 6, Section 3 of the Gambling Act which are not online gambling where the annual estimated gross turnover from the lottery activity during the license period is less than ten (10) million SEK per year and the value of the maximum prize is no more than 1/6 of the price base amount, 4. Bingo of a temporary nature pursuant to Chapter 6, Section 5 of the Gambling Act where the annual estimated gross turnover from bingo operations during the license period is less than ten (10) million SEK per year and the value of the maximum prize is no more than 1/6 of the price base amount, 5. local pool games pursuant to Chapter 6, Section 8 of the Gambling Act, 6. games covered by municipal registration pursuant to Chapter 6, Section 9 of the Gambling Act,

1 See Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.

7. land-based casino games, goods gaming machines and card games in the form of tournaments pursuant to Chapter 9, Section 1 of the Gambling Act, and 8. games on ships in international traffic in accordance with Chapter 10, Section 1 of the Gambling Act.

Section 2 For lotteries under Chapter 6, Section 3 of the Gambling Act (2018:1138) which are not online gambling where the annual estimated gross turnover from lottery activities during the license period is less than thirty (30) million SEK per year only applies to Chapters 1-2 and 13 if the value of the highest win exceeds a price base amount.

Section 3 For bingo under Chapter 6, Section 5 of the Gambling Act (2018:1138) where the estimated annual gross turnover from bingo activities during the licence period is less than thirty (30) million SEK per year only applies to Chapter 1-2, 8, 11 and 13

Section 4 For occasional bingo in accordance with Chapter 6, Section 5 of the Gambling Act (2018:1138) where the estimated annual gross turnover from bingo activities during the license period is less than thirty (30) million SEK per year only applies to Chapter 1-2 and 13 if the value of the highest win exceeds a price base amount.

The regulations do not apply to land-based casinos, such as Casino Cosmopol and restaurant casinos, to token gambling machines at Casino Cosmopol and at restaurants, or to goods gambling machines, card tournaments that are not played online, local pool game in the form of local pool game, lotteries of the type that may only be organised in a municipality and which are to be registered in that municipality, or to cash and token gambling machines and restaurant casinos.

Organizations who hold, or are applying for, a licence for gambling for purposes in the public interest in accordance with Chapter 6 of the Gambling Act (2018:1138) are exempted from certain technical requirements in certain cases. For more information on these exemptions, please refer to the Swedish Gambling Authority's information material titled "Information om tekniska krav till aktörer som bedriver allmännyttig verksamhet” (Swedish version only).

Section 5 Unless otherwise stated, the terms and designations used in the regulations have the same meaning as in the Gambling Act (2018:1138) and in the Gambling Ordinance (2018:1475). The following definitions apply in these regulations and general advice

1. bingo of a temporary nature: bingo games organised only occasionally or on a few days a week during the licence period,

2. check total: numbers attached to numbers or messages for changes and errors to be detectable. Checksums are calculated by a specific mathematical procedure,

3. information asset: information, and any resources handling that information, which is of value to an organisation. A gambling and ERP (Enterprise Resource Planning) system consists of one or more information assets that the licence holder defines in a list;

4. logged in time: the time between the player logging into the game system until the player chooses to log out or that the gaming system logs the player out,

5. encryption: distortion of data and information with an encryption algorithm that is generally known and published,

6. live casino games: casino games offered as online games via video link, data transmitted communication services or the like where gambling equipment is used instead of a gaming system,

7. maximum load: defined by the certified licensee and refers to it when the gaming system automatically rejects bets from players,

8. agent terminal: a technical device used to manage different types of games and player information, cannot be handled by the player, is part of the gaming system and does not work without connection to the rest of the gaming system,

9. person in a politically exposed position (PEP): a person who has, or has had, an important public function in a country, or in the management of an international organisation,

10. game round: a combination of events from the moment the licensee opens a game and the player places a bet until the result of the game is generated,

11. random number generator: an algorithm or a physical device intended to generate a sequence of elements (often numbers) that have certain statistical characteristics common to sequences, which occur purely randomly after a given probability distribution,

12. UTC: world time UTC (Coordinated Universal Time). UTC Sweden available at the Time Bureau, BIPM in Paris and retrieved in a secure way to RISE, Research Institutes of Sweden - Sweden’s research and innovation partner for business and society, in Borås and called UTC(SP), and

13. win pot: all or part of players’ bets according to the rules o f the relevant game type and where the licensee retains these bets until all or part of the bets are distributed, can be, for example, a jackpot, pool bet or split jackpot.

Chapter 2 Inspec tion, testing and certification

Those providing gambling services must ensure that gambling systems, ERP systems, etc., meet the requirements set out in regulations issued pursuant to Chapter 16, Section 1 of the Gambling Act (2018:1138). In accordance with Chapter 16, Section 3 of the same act, the equipment’s compliance with Swedish regulations for gambling activities must be assessed by a body accredited for this task. Pursuant to Chapter 18, Section 4 of the Gambling Act, the Swedish Gambling Authority is entitled to access areas, facilities, premises, etc., where gambling is conducted or where gambling equipment is handled or stored. The aim of this access is to allow the Swedish Gambling Authority to carry out supervisory measures.

Chapter 16, Section 2 of the Gambling Act stipulates that as a main rule, the licence holder’s gambling system must be located in Sweden. The Swedish Gambling Authority can grant exemptions under certain conditions. However, the licence holder is obligated to apply for such an exemption. If the licence holder has applied for an exemption, the accredited body’s assessment must include whether it is possible to carry out inspection of the gambling system through remote access or similar.

Section 1 An applicant for a licence under the Gambling Act (2018:1138) shall apply to an accredited body for the inspection, testing and certification of gaming systems, business systems, procedures, gambling equipment and physical lottery tickets in accordance with Chapter 16, Section 3 of the Gambling Act. Provisions on accreditation — as per the first paragraph — by Swedac can be found in the Accreditation and Conformity Assessment Act (2011:791).

General advice: If the applicant or the provider of services on behalf of the applicant is certified in relation to the current ISO/IEC 27001:2022 2 , the requirements of Chapters 4-6 of this regulation may be met. A valid ISO/IEC 27001:2014 certificate, a statement of applicability and a documented risk assessment shall be available to the accredited body for evaluation.

Swedac is the national accreditation body for Sweden. Swedac monitors compliance with quality and security requirements in order to facilitate free movement of goods and services across borders. The agency has international tasks in all areas. Swedac works with international projects in order to contribute to an infrastructure for accreditation and quality control in developing countries. The agency’s activities are based on instruction and appropriation directions from the Government as well as legislation and agreements within Europe and globally. More information on Swedac and contact information is available at www.swedac.se.

Section 2 Any person applying for a licence under the Gambling Act (2018:1138) shall send documentation for the carried out inspection, testing and certification to the Swedish Gambling Authority. The report shall clearly indicate the evaluation methods used in the inspection, testing and certification processes. In order to ensure that the accredited body complies with all the requirements of Chapter 3, certificates issued and other documentation for the business shall be attached.

2 The applicable standard shall be applied

Section 3 Inspection, testing and certification protocols shall be renewed at least every twelve months. The first paragraph shall not apply to persons who are licensed under Chapter 6, Section 1 of the Gambling Act (2018:1138), and who do not provide online gambling. Renewal of inspection, testing and certification protocols is then required only if an information asset classified with some relevance pursuant to Chapter 5, Section 3, second paragraph has been updated or changed, or if a new or existing information asset during the licence period is classified with some relevance. Renewal in accordance with the second paragraph shall take place within a period of 12 months from the date on which the requirement for renewal arises.

Organizations who are licensed under Chapter 6, Section 1 of the Gambling Act (2018:1138), and who do not provide online gambling are subject to different requirements than other license holders. For more information on these exemptions, please refer to the Swedish Gambling Authority's information material titled "Information om tekniska krav till aktörer som bedriver allmännyttig verksamhet” (Swedish version only).

Business-to-business (B2B) is a marketing strategy comprising the sale of goods and services between companies. There are primarily three sub supplier groups that are relevant to the regulations. A sub supplier providing goods such as word processing software, a physical firewall, a sub supplier providing services such as operation, maintenance or updates of all or parts of a gamin service, or services such as customer service, HR, etc. The different types of sub supplier are relevant in relation to Chapters 4 – 6 of the regulation.

To begin with, there is a difference between goods and services. Goods are controlled by the licence holder as it is purchased in complete condition, updates are installed by the licence holder, and the goods are part of the licence holder’s own information assets. In the assessment by the accredited body, such goods are included in the licence holder’s gambling and business system. A change in such information assets will only prompt revision within the licence holder’s operation. The extent of such a revi sion depends on how the licence holder has classified the information asset. A piece of word-processing software may be classified as less critical, with low relevance during a revision, unlike a gambling system for poker, for example.

A service is inspected by the service provider. Updates are managed by the service provider. The assessment by an accredited body must also comprise the licence holder’s service provider. Any change affecting the information asset, such as a poker service, means that a revision must be made by the licence holder as well as the service provider. If a sub supplier provides the same service to multiple licence-holders, this may entail an enormous administrative burden for the licence-holders, the accrediting bodies and the Swedish Gambling Authority. Those providing a service to multiple licence holder may also be inspected, tested or certifies in accordance with Chapter 2 of these regulations. A change with the service provider will therefore have an impact on all the licence-holders.

Section 4 If, in the course of its day-to-day work, the accredited body finds shortcomings or defects that are relevant to the licence, the licensee shall immediately notify the Swedish Gambling Authority. The licensee shall immediately notify the Swedish Gambling Authority if the certification body withdraws certificates.

Exemption from the requirement for an assessment procedure under Chapter 16, Section 3 of the Gambling Act (2018:1138) etc.

Section 5 Games under Chapter 1, Sections 2 and 4 are exempted from the requirement for an assessment procedure under Chapter 16, Section 3 of the Gambling Act (2018:1138) if the value of the highest prize is less than one price base amount.

Section 6 If the equipment referred to in Chapter 13 is used in games referred to in Section 5, the licensee shall ensure that the equipment meets the requirements set out in Chapter 13. The result of a draw shall be documented in a protocol to be stored during the licence period. For occasional bingo in accordance with Chapter 6, Section 5 of the Gambling Act (2018:1138), where the annual estimated gross turnover from bingo activities during the licence period is less than thirty (30) million SEK per year and the value of the highest prize exceeds 1/6 of the price base amount, the equipment referred to in Chapter 13 shall be used.

Organizations who hold, or are applying for, a licence for gambling for purposes in the public interest in accordance with Chapter 6 of the Gambling Act (2018:1138) are exempted from certain technical requirements in certain cases. For more information on these exemptions, please refer to the Swedish Gambling Authority's information material titled " Information om tekniska krav till aktörer som bedriver allmännyttig verk samhet” (Information on technical requirements for actors conducting activities in the public interest).

Chapter 3 Accredited bodies

For the formulation of the accreditation scope, see appendix 1.

Scope Section 1 The accrediting process must comprise information security, inspection, testing and certification, as well as risk and vulnerability analyses. Competence requirements for the accredited body Section 2 Those applying for accreditation must have experience of work with management systems for information security, inspection, testing, certification and risk and vulnerability analyses.

There is nothing to prevent those wanting to become accredited from only applying for parts of the accrediting process. Applicants for accreditation must have experience within the parts referred to in their application.

General advice: Experience refers to at least three years’ experience of testing and evaluating management systems for information security, at least two years’ experience of risk and vulnerability analyses, or equivalent experience.

Competence requirements for staff of the accredited body Section 3 Inspection, testing and certification must be carried out by staff with adequate and documented training. Staff must be available who have at least five years’ experience of inspecting and testing gambling systems, gambling services and online activities, or equivalent experience. Staff must be available who have at least five years’ experience of risk and vulnerability management, or equivalent experience. Cited experience and competences must be proven through certificate or similar documentation.

General advice: Adequate and relevant training may also include other qualifications that allow staff to achieve sufficient competence for the task or tasks. For work with random number generators and other lot-drawing equipment, the responsible supervisor should have a master’s degree or PhD in mathematics, statistics or other subject relevant to the assignment. Such qualifications must be documented in the same way as other training, and for work with information security, this can include certifications in accordance with: - International Information Systems Security Certification Consortium (ISC)2 Certified Information Systems Security Professional (CISSP); - Payment card industry (PCI) Qualified Security Assessor (QSA); or - Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). For work with risk and vulnerability analyses, the following certificates can be relevant: - International Council of E-commerce (EC-Council) Certified Ethical Hacker (CEH); - EC-Council Licensed Penetration Tester (LPT);

- Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT); - Global Information assurance Certification (GIAC) Certified Penetration Tester (GPEN); - CESG CHECK Team Leader; - CESG CHECK Team Member; - CREST Infrastructure Certification; - CREST Registered Tester; - Tiger Scheme Senior Security Tester; or - Tiger Scheme Qualified Security Tester. Inspection, testing and certification can be carried out by staff groups that meet the set requirements all in all.

Chapter 4 The licence holder’s information security

Information processing is a central support function in all types of services. It is important to be able to protect information and to have a high level of consumer protection and security in the games. It must be possible to ensure access to information in both the short and long term. In order to achieve good information security, it is not enough to apply administrative measures such as regulations, training/information, compliance control, as well as measures that can be taken in IT systems and communication solutions (IT security). Information processing equipment must also be protected from various risks, through physical protection or physical IT security.

One important factor of protecting the information is thus the physical protection surrounding various types of IT environments. Planning, developing and administering IT environments is a large financial commitments, and it is not always easy to determine which measures are suitable and reasonable in order to provide the information with sufficient protection.

The licence holder must have procedures in place such as policies, guidelines, regulations and advice, depending on what it is they need to protect.

Protection of information Section 1 Important information must be protected from physical and logical breaches and other external influence, and the information must be available when needed.

It is up to the licence holder to determine what constitutes important information. In accordance with Chapter 5, the licence holder must keep a list classifying the information assets. Important information should always include, at the least, transactions, game conditions, client database, version history, logs. A large part of the information must not only be available to the licence holder, but also to the accredited body for inspection, testing and certification, as well as revision, and of course to the Swedish Gambling Authority upon request.

Personnel administration Section 2 There must be a policy and procedures to regulate employee authorisations in gambling and ERP systems. A corresponding policy, establishment of access descriptions and procedures as described in the first paragraph, must be written for other persons who need access to gambling and ERP systems. Policies and procedures must be documented and regularly updated.

General advice: A policy with associated procedures can include 1. detailed work descriptions for each employee; 2. which access to information is required for each work description, i.e. for the completion of work tasks; 3. in what way changes in the work description are also reflected in what information the employee will have access to; and 4. description of which steps to take upon termination of employment.

Access to a gambling system should be divided into different functions in regard to different user groups. The different functions, such as functions, groups, individuals, systems, must then be assigned different functions and thereby different access. There should be an access description with associated individuals or systems for each function. In order to simplify revision, the access descriptions should be updated at least once per year in conjunction with the renewal of inspection, testing and certification records in accordance with Chapter 2, Section 3.

It is common for security guards, service technicians, property managers, cleaners and other similar groups to also have access to areas where sensitive information is being kept. Most often, these staff groups are not employed by the same organisation. Even if there is a contractual relationship, this does not mean that liability and authority are regulated in the same way. For this reason, these external staff groups should not have free or unregulated access to such areas.

Access restrictions Section 3 The gambling and ERP systems must be placed in an area adapted for the purpose. All entry points to the area where the gambling and ERP systems are handled or stored must be guarded by personnel or technical equipment for access control. The scope of this access control must be adapted to the regulations regarding risk and vulnerability analyses set out in Chapter 5. Passcards, codes and keys to areas where the gambling and ERP systems are being handled or stored must be controlled to ensure that there is no unauthorised access.

General advice: A space adapted to the purpose may comprise one or more rooms.

An organisation’s choice of where to place its gambling and ERP systems can have a great impact on improving security. The area should therefore be well adapted to the purpose in order to avoid external threats and reduce the consequences should such threats be realised.

Section 4 Systems for operation and testing must be logically separated. Systems for testing of generation and validation, as well as actual generation and validation of bases for physical lottery tickets must be logically separated.

Tests and trials of new versions or functions in a gambling system are always carried out in logically separate systems.

Authentication Section 5 Gambling and ERP systems must be equipped with technical and administrative measures to identify the user, the user’s system authorisation and registration of the user’s activities. All access to the gambling and ERP systems must be registered.

Codes, passwords or equivalent for the gambling and ERP systems are personal and may not be disclosed or shared, and they must be provided with a level of protection appropriate for the information.

It is important for the licence holder to maintain control over who has access to the area where the gambling and business systems are kept. In order to do so, it is essential to limit access to gambling and business system to the employee group that has an established need.

A catalogue service can be used to control, register and store access to gambling and business systems . A catalogue service allows authorised access to be linked to the user’s rights and for them to be registered when using the service. Codes and passwords should not be shared between users, and should not be joint. One-time passwords can be used as long as it is possible to determine who has requested them and that they are authorised to do so.

Section 6 The gambling and ERP systems must have a function that continuously registers user identity, date and time of login and logout, and any other activities of relevance to information security.

See Chapter 4, Section 19 for the applicable time system.

Section 7 Events outside the technical equipment that have an impact on the gambling and ERP systems must be registered.

General advice: Examples of such events outside the technical equipment that have an impact on the gambling and ERP systems include fire and water damage. Registration of events in accordance with Section 7 can be done manually.

Communication and operation Section 8 It must be possible to safely shut down the gambling and ERP systems in the event of disruption or failure in the electricity supply or communications. There must be an auxiliary power system to safeguard data integrity, register history, backup data and allow games that are in progress to come to an end.

Section 9 The gambling and ERP systems must have a function that registers all attempts at unauthorised access to the system and other events, and which creates event reports with time stamps.

Section 10 The gambling and ERP systems must be protected against unauthorised intrusion and the insertion of unauthorised and malicious code. The gambling and ERP systems must have a function to discover malicious code. There must be documented procedures for updating protection against unauthorised and malicious code.

Section 11 All system changes in accordance with Chapter 6 and any other discrepancies in the gambling and ERP systems must be monitored and registered.

Chapter 6 contains provisions on version management, and Section 18 of this chapter regulates storage periods.

Section 12 The gambling and ERP systems must be backed up at least once per day. It must be ensured that the systems can be restored from the latest backup point to the time of a possible disruption

In order to simplify the assessment made by the accredited body, the licence holder should provide procedures for backup and for restoration in case of a disruption. In order to simplify revision, these functions should be tested at least once per year in conjunction with the renewal of inspection, testing and certification records in accordance with Chapter 2, Section 3.

Section 13 The gambling and ERP systems must be equipped with appropriate firewalls. Firewalls must be set up to ensure that no other equipment in the same network can create alternative network paths. Firewall access must be documented in work descriptions and access descriptions. All access to a firewall must be registered. All incidents that affect or are intended to affect the firewalls must be registered.

Information in the fourth paragraph does not need to be stored for longer than three months in accordance with Section 18 of this chapter.

Section 14 Information must be stored and transferred securely. Files containing information revealing winnings must be handled so that no unauthorised user can copy or otherwise misuse or damage the data. If a public network is used for the transfer, the data must be encrypted and the separate subsystems must verify the dispatch and reception and also be protected from incomplete transfers, disruption and copying and sending of unauthorised replies.

Chapter 5 states that the licence holder must keep a list classifying their information assets, and based on that classification, they must also assess which information is to be stored and transferred securely.

In the case of encrypted transfer, an established standard should be used in order to ensure that the information is transferred and stored securely.

Section 15 There must be documented procedures for the handling of portable data media. If information revealing winnings is sent on data media by post, or equivalent manner, a transport option must be selected that meets the requirements set out in Section 14, second paragraph.

General advice: Portable data media may include laptops and portable memory devices.

Section 16 Only functions that are necessary for the purpose of installing new software shall be activated. Maintenance and updating of applications in a gambling and ERP system must be done in a secure and controlled manner.

Section 17 Software must be identifiable by name and version number. The source code of the gambling system must have comments explaining the function of the code.

Storage of registered information, events and logs Section 18 Registered information, events and logs are to be stored in accordance with Chapter 16, Section 5 of the Gambling Act (2018:1138), kept unchanged and be protected from unauthorised access. Registered information in accordance with Section 13, fourth paragraph, must be stored for at least three months.

Time reference Section 19 The gambling system must register time. All information, events and logs are to be registered in real time. UTC is to be used as the time reference system.

Chapter 5 The licence holder’s risk and vulnerability management

Section 1 The licence holder must carry out a risk and vulnerability analysis to systematically identify and document in a list the information assets of the gambling and ERP systems. This work also includes considering the operation’s dependence on external activities. The choice of method for the risk and vulnerability analysis must be documented.

General advice: ISO 31000:2018 3 contains principles and general guidelines for risk management. A risk and vulnerability analysis and a list in accordance with Section 1 can contain the following elements:

1. identification of information assets which must be protected/functional at all times (What is to be protected?); 2. identification of risk sources that may impact/threaten identified information assets (What could happen?); 3. risk analysis (How likely is it, and what would be the consequences if it occurred?) risk evaluation to determine which of the identified risk sources need to be further processed and which measures must be taken in response to identified risks; 4. assessment of the ability to resist and manage identified risk sources; and 5. risk processing through identification and prioritisation of measures in response to the analysis results.

Section 2 For each information asset in the list, the following information must be provided 1. a definition of the information asset; 2. a unique identification number; 3. a version number; 4. identifying features of the information asset; 5. decision maker entitled to make decisions regarding changes in the information asset; 6. internal risk evaluation; 7. checksum for information assets classified in accordance with Section 3, second paragraph, points 2 – 3; and 8. the geographical location of physical information assets.

3 The applicable standard shall be applied

The complete list will form the basis of the accredited body’s assessment of the licence holder’s information assets pursuant to Section 2.

In subsequent audits, the list will show any changes made between the assessment dates, and the accredited body can then revise its earlier assessment.

Section 3 Each information asset defined in accordance with Section 2 must be classified according to the following four criteria: 1. player information – information worthy of protection; 2. integrity of the gambling and ERP systems; 3. availability of player information; or 4. traceability. Each classification must be assessed according to the following: 1. no relevance (the information asset has no impact on the respective criteria of points 1 – 4 in the first paragraph); 2. some relevance (the information asset may have an impact on the respective criteria of points 1 – 4 in the first paragraph); or 3. high relevance (the respective criteria of points 1 – 4 in the first paragraph are dependent on the information asset).

General advice: Depending on whether and how virtualisation, e.g. cloud services, is used in the gambling and ERP systems, redundancy and availability of data may be affected. Different methods of virtualisation may entail different classifications of an information asset. The licence holder should be attentive to how the classification of a hardware information asset is affected and possibly changed depending on the internal or external selection or development of visualisation. If an external cloud service provider is used, it should be ensured that they meet the requirements set out in the regulations.

Section 4 The licence holder must appoint a decision maker responsible for risk and vulnerability analysis as well as management of information and incidents that may arise in accordance with this chapter. There must be documented procedures for monitoring, detection, analysis, management, reporting and registration of security and information security incidents.

Section 5 There must be a function and documented procedures for the management of breaches and attempted breaches of the gambling and ERP systems. All intrusions and attempted intrusions of the gambling and ERP systems must be registered.

Chapter 6 The licensee’s system changes

Section 1 There shall be a documented process for version management and a version management system for updates or alterations to the information assets drawn up in a list in accordance with Chapter 5, Section 2.

Section 2 Updates or changes to an information asset classified as critical with high relevance in accordance with Chapter 5, Section 3, second paragraph shall be examined without delay by an accredited body. The updating or modification of an information asset classified with some relevance pursuant to Chapter 5, Section 3, second paragraph shall be reviewed in conjunction with the ordinary certification process in accordance with Chapter 2, Section 3.

Section 3 If the licensee has an internal function that manages quality assurance of updates or alterations to information assets, the accredited body may authorise alterations to be made without review in accordance with Section 2, first paragraph if: 1. the function is organisationally separate from the function that implements updates or alterations and 2. the function has staff with adequate training and experience. Updating or changing an information asset under the first paragraph shall be reviewed in conjunction with the ordinary certification process in accordance with Chapter 2, Section 3.

Section 4 When updating or changing information assets in accordance with Section 1, a risk and vulnerability analysis shall be performed.

Section 5 There shall be a designated decision-maker who is responsible for and decides on each update or change to an information asset.

Section 6 A version management system shall contain information about requests for changes, the approval of changes and changes made to information assets. Previous versions of information assets shall be stored and kept available for examination.

General advice: Earlier versions of information assets in the form of hardware may be destroyed.

Chapter 7 and forward

Gambling activities must ensure strong consumer protection, and there must be a high level of security in the games. There is a need to protect the players, partly to prevent gambling in the event of suspected fraud or other game-related forms of crime, and partly in case one or more games are faulty. The licence holder must then be able to deactivate one or more games, or one or more players.

In order to clarify to the accredited body which requirements need to be inspected, tested or certified, the requirements are written in bold as of Chapter 7. Unlike the previous chapters, the provisions of Chapter 7 and the following chapters refer to specific games. Information that is to be written in a game's rules, or which must be registered or documented, is part of the licence holder’s duties and is included in the Swedish Gambling Authority's supervisory responsibilities.

Chapter 7 Functions for the licence holder’s game administration

Activation and deactivation of games Section 1 The licence holder must be able to immediately activate or deactivate each

game or its players; either one or more games, or an individual player or all players

at once.

Measures pursuant to the first paragraph must be registered and documented.

General advice: A game can for example be deactivated by temporary concealment if the licence holder discovers faults in the game or relating to an individual player.

Section 2 It must be possible to finish playing a game that has been deactivated. For games played in several steps, it must be possible to finish playing the game when the player next logs in.

Interrupted games Section 3 It must be possible to finish playing an interrupted game, unless otherwise specified in the rules of the game.

An interrupted game must be shown to the player, along with any bets made, once the

gambling system is reconnected.

Bets referred to in the second paragraph must be kept separate and be separately reported in the player’s player account until the game is finished.

General advice: A game can be considered interrupted if, for example, the gambling system is disconnected from the player’s equipment, if the gambling system or the player’s equipment restarts, or if the gambling system is unexpectedly shut down. A game can also be considered interrupted if it has not been possible to finish a game or a race has been cancelled.

Section 4 If an interrupted game is not finished within 90 days, it must be terminated. The rules of the game must clearly state what will happen to a player’s bet if a game is terminated before being finished.

Fault management Section 5 There must be documented procedures for all games on how to manage faults and deficiencies. The rules of the game must clearly state what applies in relation to the player in the event of faults and deficiencies.

Section 6 Any errors and faults that arise must be registered and documented. Causes and solutions of errors and faults in the first paragraph must be registered and documented.

Registration and documentation can be carried out automatically in the gambling system or manually in accordance with documented procedures. If the registration is made automatically in the gambling system, the accredited body must verify the existence and performance of such a function.

Section 7 It must be ensured that an interrupted game or other errors and faults will not negatively affect a player’s player account or game balance . In the event that a player is unable to finish a game due to errors and faults, there must be a function calculating the amount that will be returned to the player.

Section 8 The value of a pot must not be affected by errors and faults.

Chapter 8 Information that a gambling system must be able to generate

In addition to the information that a gambling system must be able to generate pursuant to Chapter 8, there are also requirements relating to reporting to the Swedish Gambling Authority set out in Section 21 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) The information that is to be reported every six months in accordance with Section 21 is specified below.

Section 1 It must be possible to create reports , in the gambling system or manually, regarding suspected cheating, as referred to in Chapter 19, Section 6 of the Gambling Act (2018:1138). It must be possible to create reports , in the gambling system or manually, regarding suspected cheating, collusion between players, attempted cheating and collusion between players, as well as other registered violations of the terms of use and rules of the game. It must be possible to create reports , in the gambling system or manually, regarding illicit manipulation of the outcome of a game subject to betting.

Section 2 The gambling system must have a function for generating reports regarding deviations or changes in a player’s gambling habits and gambling patterns which result in responsible gambling measures.

Chapter 14, Section 1 of the Gambling Act (2018:1138) regulates the licence holder’s duty of care. A licence holder must ensure that consideration is given to social and health protection aspects of the gambling activities, in order to protect players from excessive gambling and to help them reduce their gambling if needed. The licence holder must continuously monitor the players’ gambling behaviours.

Section 3 The gambling system must have a function to generate reports for all player registrations . The gambling system must have a function to generate reports for all open and closed temporary player accounts referred to in Chapter 13, Section 4, first paragraph of the Gambling Act (2018:1138).

Chapter 12, Section 1 of the Gambling Act states that a licence holder must register those who wish to participate in gambling. Chapter 13, Section 1 states that a licence holder who is licensed for online gambling must open a player account for each registered player. A licence holder may open temporary player accounts under certain circumstances.

Section 4 The gambling system must have a function to generate reports for all

registered players, the players’ account information and registration dates.

Section 5 The gambling system must have a function to generate reports of all players

that have excluded themselves from gambling for 24 hours, for a certain period of

time or indefinitely, in accordance with Chapter 14, Section 11 of the Gambling Act

( 2018:1138) .

Section 6 The gambling system must have a function to generate reports of all players who have set limits in terms of time, bets or deposits to their player account. The gambling system must also have a function to generate reports on the number of

players who have lowered or raised their limits in terms of time, bets or deposits to

their player account.

Section 7 The gambling system must have a function to generate reports on inactive player accounts .

General advice: It should be clear from the licence holder’s agreement with the player when a player account is considered inactive and what will happen to any outstanding balance once the account has been inactive for a certain period of time.

Section 8 The gambling system must have a function to generate reports on all player accounts that have been closed . If a player account has been closed, it must be indicated why it was closed and whether it was closed by the player or the licence holder .

Section 9 The gambling system must have a function to generate reports on all player

accounts with a positive balance which have been closed for more than five working

days.

Section 10 The gambling system must have a function to generate a report for each player account .

General advice: A report should contain information on balance, deposits, bets, winnings and withdrawals.

Section 11 The gambling system must have a function to register the full login session of an individual player .

It must be possible to provide the following in one or more reports in accordance with

the first paragraph

1. player ID; 2. start and end time of the login session; 3. player equipment; 4. total bets during the login session; 5. total winnings paid out during the login session; 6. total deposits to player account during the login session (time - stamped); 7. total withdrawals from player account during the login session (time - stamped); 8. time of final confirmation during the login session; 9. reason for terminating a session; and 10. identification of games and versions played during the login session.

Section 12 The gambling system must have a function to register and generate one or

more reports with information on the player’s transactions during the login session.

It must be possible to provide the following in one or more reports in accordance with

the first paragraph

1. player ID; 2. start time of the game; 3. the player’s balance at the start of the game; 4. bet (timestamped); 5. contribution to the pot; 6. status of the game; 7. outcome of the game (timestamped); 8. distribution of the pot; 9. end time of the game; 10. winnings; 11. the player’s balance at the end of the game; and 12. all interrupted games and the reason why they were not finished.

Section 13 The gambling system must have a function to register and generate one or

more reports regarding events in the gambling system.

It must be possible to provide the following in one or more reports in accordance with

the first paragraph

1. substantial winnings; 2. large transfers of funds; 3. changed terms of a game; 4. changed terms of a pot; 5. new pots; 6. player participation in the pot; 7. distribution of the pot; and 8. interrupted games with a pot.

Section 14 The gambling system must have a function to register and generate individual

and aggregate reports on one or more of the licence holders rounds.

It must be possible to provide the following in one or more reports in accordance with

the first paragraph

1. name and serial number of the round; 2. date; 3. start time of the round; 4. end time of the round; 5. total turnover; 6. number of bets; 7. licence holder’s bet; 8. financing of the pot; 9. value of the pot before the start of the game; 10. value of the pot at the end of the game; 11. possible outcomes; 12. actual outcome; 13. total amount of winnings; 14. total number of winners; 15. number of winners at each level; 16. number of right answers; 17. total payout; and 18. number of players who did not complete the round and the reasons for this.

General advice: A possible outcome can be a situation in which there is a possibility for a unique outcome that is not directly indicated in the relevant payout table, for example in 1X2 betting on a football match.

Chapter 9 Functional requirements for the licensee against players

For games in accordance with Chapters 7 and 8 of the Gambling Act (2018:1138), Section 15 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling states that the player must be given clear information at each login regarding the licence holder’s responsible gambling measures, the player’s limitations of deposits pursuant to Chapter 14, Section 7 of the Gambling Act, and the player’s accumulated losses over the last twelve months. In its assessment, the accredited body must verify that the licence holder meets this requirement.

Registration of the player and access to the gaming system Section 1 The gaming system shall have a function to register a player . Verification of the player’s authorization shall be done by means of a personal and unique authorisation code each time the player logs into the gaming system.

General advice: After the initial registration, when the Gambling Act (2018:1138) requires verification of the player via reliable electronic identification or equivalent, the licensee may continue to require verification via reliable electronic identification or equivalent. Alternatively, the licensee may choose to allow the player to create a username with the associated authorisation code. A feature of the gaming system should inform how the player can create a unique and secure access code.

Chapter 12, Section 1 of the Gambling Act (2018:1138) states that a licence holder must register those who wish to participate in gambling. Chapter 13, Section 2 states that when a player logs in to their player account, the licence holder must satisfactorily verify the player’s identity.

Section 2 The gaming system shall have a function that checks the player’s age.

Chapter 14, Section 2 of the Gambling Act (2018:1138) states that games subject to licensing may not be offered to anyone under 18 years of age. Gambling may only be offered if it is possible to verify the player’s age.

Section 3 If a check of the PEP pursuant to Chapter 3, Section 10 of the Act (2017:630) on measures against money laundering and financing of terrorism has been carried out, the check shall be recorded in the gaming system .

General advice: Registration can be done by entering a PEP box in the player register and noting yes or no.

The accredited body must verify whether there is a possibility of registering PEP checks. The term PEP is defined in Chapter 1, Section 2, point six, as a person who holds or have held a prominent public function in a country or in the management of an international organisation.

Section 4 All logins to a gaming account and any attempts to log in that have been

made shall be recorded.

There shall be a feature in the gaming system to detect if someone who is not authorised is trying to log in to a player’s account. If an unauthorised person has attempted to enter a player’s account, the player shall be informed thereof immediately and thereafter in accordance with the licensee’s agreement with the player.

General advice: Notification that an unauthorised person has attempted to access a player’s gaming account may be made by any means the licensee deems most appropriate at the time, such as text messages, e-mails, or login information.

Section 5 A player’s identity, date and time shall be recorded at each login and log-out. When a player logs into the gaming system, their last login with time and date shall be available to the player.

Section 6 The gaming system shall have a function and documented procedures for the secure change of authorisation codes . A player’s authorisation code shall not be able to be changed unilaterally by the licensee. General advice: If necessary, a one-time code can be sent to the player’s registered email address or registered mobile number.

Player account

Chapter 13, Section 1 of the Gambling Act (2018:1138) states that a licence holder who is licensed for online gambling must open a player account for each registered player.

Section 7 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) states that, in conjunction with opening an account, the customer must agree to the separate terms and conditions pertaining to the protection of the players’ money in the event of the licence holder becoming insolvent. The accredited body must verify the existence of a function for players to agree to such terms and conditions before being allowed to open a player account. The accredited body does not need to consider the contents of the terms and conditions.

Section 7 The gaming system shall have a function to manage and record all financial transactions to and from a gaming account in accordance with Chapter 13, Section 3 of the Gambling Act (2018:1138)

The player’s ability to keep track of their gambling is essential from a consumer protection perspective.

The licence holder must give the player access to information on the player account’s balance, gambling history, deposits and payments and any other transactions. Gambling history refers to transactions in the form of bets, winnings and losses. Other transactions can refer to bonuses, etc. Chapter 13, Section 3 of the Gambling Act (2018:1138) states that all financial transactions to and from a player account must be registered.

The information must be available to the player in the player account for at least twelve months. The accredited body must verify that there is a function to ensure that the information remains available to the player for twelve months.

In order to prevent fraud, it should not be possible for a licence holder to allow the transfer of money, tokens or similar between player accounts.

Section 8 When depositing funds in a gaming account, the licensee must be able to ensure that the declared debit/bank account holder or other payment service is the same as the player of the gaming account. The first paragraph shall also apply if the player changes a bank card, bank account or other payment service.

General advice: Security can be ensured via reliable electronic identification or equivalent.

The aim of this regulation is for the licence holder to be able to verify that the customer is an authorised user of the payment solution the customer has provided. When it comes to bank accounts or other payment services, the licence holder should therefore reserve the right to request the information/documents from the customer that are needed to, as far as possible, ensure that the customer has right of disposal for the provided account or that they are an authorised user of the payment service. In regard to bank cards, the licence holder should exercise customary control to verify that the customer is using their own card and that the card has not been suspended. Provisions regarding certain obligations for those conducting services in accordance with the Gambling Act (2018:1138), for example in regard to customer knowledge, are found in the Anti-Money Laundering Act (2017:630).

Chapter 13, Section 5 of the Gambling Act (2018:1138) states that a licence holder may only receive deposits from a payment service supplier in accordance with the Payment Services Act (2010:751). This means that the licence holder may not accept cash.

The accredited body must test the function used by the licence holder to comply with this rule.

Section 9 A player shall be able to see his balance on the gaming account immediately after each transaction has been executed. There must be a function which, in accordance with Chapter 13, Section 3, first paragraph,

of the Gambling Act (2018:1138), shows the player which games they have taken part

in, all bets made and all winnings paid out .

Chapter 13, Section 3 of the Gambling Act (2018:1138) states that all financial transactions to and from a player account must be registered. The information must be available to the player in the player account for at least twelve months. The accredited body must verify that there is a function to ensure that the information remains available to the player for twelve months.

Limitations of deposits, losses and login sessions

The individual is responsible for their own gambling, but some have a limited ability to gamble responsibly and with restraint. Gambling addiction must be considered a very serious issue. The negative effects of gambling must be counteracted. There is therefore a need for various responsible gambling measures, such as information and other proactive measures on the part of the licence holder. Necessary measures should be taken to give players the greatest possible insight into their own gambling behaviour.

Such measures may include the creation of a model to in various ways illustrate the player account to the player, as stated in Sections 7 and 9, and to follow up on the limitations set by the players in terms of time and bets. Licence holders should furthermore be obligated to give the players feedback on their gambling behaviours and implement restrictions and limited access.

Section 9 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) contains provisions on the possibility of limiting the duration of login sessions. The player must be able to limit how much time they spend logged in each day, week and month. The accredited body must verify that this possibility is offered to the player.

Section 13 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) contains provisions for the licence holder to give the player regular, clear and varied notifications of their winnings and losses as well as information on how long the player has been logged in. Such notifications are to be given as often as needed to counteract excessive gambling. The notifications must be acknowledged by the player, who is to be given the option of confirming or interrupting the game. The accredited body must verify that these functions are in place. The contents of the notifications and whether the notifications are regular and varied falls under the Swedish Gambling Authority’s supervisory responsibilities and is therefore not something that the accredited body needs to consider.

Section 10 For online gaming, there must be a feature where the player should easily specify the amount of deposits that can be made broken down by day, week and month . A player who has not set limits on deposits in accordance with the first paragraph is not allowed to gamble .

In the case of online games, a player must set an upper limit for deposits in accordance with Chapter 14, Section 7 of the Gambling Act (2018:1138). Chapter 11, Section 3 of the Gambling Ordinance states that limitations on deposits are to be stated per day, week and month.

Section 11 For online gaming, there must be a feature where the player can easily limit

their login time.

Section 12 There must be a feature to be able to display the player warnings about

winnings and losses as well as information about the time the player has been logged in.

Section 13 Only the player shall be able to determine the limits in accordance with Sections 10 and 11.

Exclusion from gambling

Self-exclusion from gambling is considered an important responsible gambling measure. In order to ensure the break from gambling that the player feels they need, the players should be able to exclude themselves temporarily or permanently from gambling.

In accordance with Chapter 14, Section 11, first paragraph of the Gambling Act, licence holders pursuant to the same act must give players the possibility of excluding themselves from gambling permanently or for a limited period of time. A permanent exclusion may not be revoked for twelve months.

Online casino games, online bingo and computer-simulated gambling machines are games where the player can quickly lose large sums. For this reason, Chapter 14, Section 11, second paragraph of the Gambling Act (2018 :1138) states that the licence holder’s website must also have a so-called panic button that gives the player the option of immediately excluding themselves from such games for 24 hours.

Section 14 The gaming system shall have a feature that allows players to easily suspend

themselves from games for a certain period of time or for an indefinite period.

Section 15 The gaming system shall have a function that checks whether players have suspended themselves or limited their playing time each time players register or log into the gaming system.

Start of game Section 16 For games, there shall be a feature and documented procedures that prevent

a bet from being placed after the licensee’s specified opportunity for the withdrawal or

event of a future result has been started .

General advice: Where relevant, betting can take place during an ongoing match or similar, such as a bet on which team scores the next goal or the player of the match.

Chapter 10 Payout percentage

Chapter 14, Section 4 (2018:1138) states that a licence holder must keep information on the probability of winning the game easily available.

In conjunction with inspection, testing or certification of games, the accrediting body must verify the probability of winning and ensure that the correct payout percentage is given to the player. Chapter 5, Section 2, point 7 states that a checksum must be provided for certain classified information assets. For games, the payout percentage of the payout table is to be checksummed. A checksum is given jointly or respectively for the payout percentage and function. The list must specify the method used.

A checksum is defined in Chapter 1, Section 2, point 1, as figures appended to numbers or messages to allow discovery of changes and faults. Checksums are calculated using a specific mathematical procedure.

Section 1 For games with progressive winnings, the minimum payout percentage must be indicated to the player.

The player must also be given information on the probability of winning when playing a progressive game where the payout increases linearly in relation to the player’s bet.

Section 2 The gambling system must have a function to monitor the payout percentage of each individual game. Data that is generated in accordance with the first paragraph must be stored and kept available for audit.

The payout percentage can be based on probabilities. In some cases, the licence holder may indicate the smallest guaranteed payout percentage of a given playing cycle. A playing cycle should be of a reasonable length.

The licence holder should be able to produce a report of the payout percentages for each game.

Chapter 11 Game instructions, payout table and pot

Game instructions Section 1 Game instructions must be complete, unambiguous and non-deceptive.

General advice: Game instructions may be translated into other languages, in which case they must have the same content as the original instructions.

Section 2 Game instructions and rules must be available without placing a bet.

Section 3 Game instructions must be available through the same type of medium as the game. Game instructions must be easily accessible.

General advice: If the characteristics of a game change temporarily during an ongoing game, the game instructions should be automatically adapted to the change.

Payout table Section 4 There must be documented quality assurance procedures to ensure that the configuration of payout tables is correct. There must be documented procedures to ensure that the calculations of payout tables are correct.

General advice: These procedures can be both automatic and manual.

In conjunction with inspection, testing or certification of games, the accrediting body must verify that the licence holder’s calculations of payout tables are correct.

Pot

The provisions of Sections 5 –7 fall under the Swedish Gambling Authority’s supervisory responsibilities and is therefore not something that the accredited body needs to consider.

Section 5 There must be rules for how a player can win a pot. It must be clearly stated how the pot is financed and distributed.

Section 6 It must be clear from the rules how a pot will be divided if there is more than one winner.

Section 7 It must be clear from the rules how a licence holder can cancel or terminate a pot.

Chapter 12 Abnormal gambling patterns and cheating

Chapter 14, Section 16 of the Gambling Act (2018:1138) states that licence holders must have procedures in place to detect and counteract actions covered by the provisions on cheating set out in Chapter 19, Section 4 of the Gambling Act, as well as violations of the terms of use and rules of the game.

Procedures to detect and counteract violations of the terms of use and rules of the game are not included in the assessment of the accredited body but fall under the Swedish Gambling Authority’s supervi sory responsibilities. The evaluation of whether the licence holder has the relevant competence to make the necessary assessments also fall under the Swedish Gambling Authority’s supervisory responsibilities.

Section 1 The gambling system must have a function, and there must be documented procedures, to detect the occurrence of cheating and collusion between players, attempted cheating and collusion between players, and other violations of the terms of use and rules of the game.

The provision means that a licence holder must enable the detection and counteraction of criminal acts associated with gambling. This includes, among other things, that the licence holder must have systematic support in making the necessary assessments to enable detection of crimes such as cheating, collusion, attempted cheating and collusion between players.

Section 2 The gambling system must have a function that allows players to easily and immediately report suspected cheating, cheating, and collusion between players, attempted cheating and collusion between players, and other violations of the terms of use and rules of the game.

It is up to the licence holder to give the player the means to immediately bring cheating and other irregularities relating to the game to the licence holder’s attention.

Section 3 There must be a function for analysing and producing data for reports on illicit manipulation of the outcome of a game subject to betting.

Section 4 There must be documented procedures to detect and counteract deviations and abnormal gambling resulting from manipulation of games and software.

Chapter 13 Functional requirements for random number generators

Chapter 2, Section 2 states that the licence holder must submit documentation of inspection, testing and certification to the Swedish Gambling Authority. The report must clearly specify which evaluation methods have been used in the inspection, testing and certification processes.

Section 1 The results from a random number generator must be random, statistically independent, have a correct standard deviation and correct probability distribution . The results yielded by the random number generator must not be predictable without knowledge of the applied algorithm, implementation and initial values.

General advice: There are several statistical tests that can be used to ascertain the results of a random number generator. The DIEHARD test suite (Marsaglia) and the NIST test suite (National Institute of Standards and Technology) are two of the tests that can be used.

Section 2 There must be a documented reference to a well-established algorithm and

any source code as well as to the recalculation procedure of the random number

generator.

If the random number generator is built in to the software, it must be possible to present the entire source code, along with comments and documentation.

General advice: The algorithm that the random number generator is based on should be published in an internationally recognised publication. The outcome tests that may be used on generated random numbers include the X2 test (chi-squared-test), the autocorrelation test and the runs test. The licence holder can enable verification of the set payout table by having the accredited body or the Swedish Gambling Authority to review programmes, plates, logs, verification lists or other documentation for the payout table.

Information about the X 2 test The X 2 test is performed as follows: Assume that the lottery consists of the numbers 1, 2, 3, ..., M. Each number should then be drawn with the probability 1/ M. If this is to be tested, N numbers shall be drawn so that N =10 M , i.e. at least ten times the number of lottery numbers. A table notes how many times each number is drawn in this series. Assume that number 1 is drawn n 1 times, number 2 n 2 times etc. Then calculate the following so-called test quantity:

− − − 2 2 2 ( n N / M ) ( n N / M ) ( n N / M ) = + + + 1 2 M T ... N / M N / M N / M

T is then compared with a table showing the X 2 distribution. The number in the table, with which T is to be compared, shall correspond to M -1 degrees of freedom and the chosen risk of error (α) in the test performed. T shall not exceed this table value. A similar table is found in most basic textbooks in statistics (e.g. Hogg & Tanis. 2006). Alternatively, statistical functions are used in commercial software (e.g. Microsoft Excel) to calculate the so-called P value for the test quantity T. This P value shall not be lower than the chosen risk of error (  ).

The value M is thus the number (slices in the Wheel / Number of possible outcomes in a ball draw) x 10. When calculating the P value, the Swedish Gambling Authority deems that the P value shall not be lower than 0.05. For physical lot-drawing equipment, a test is sufficient to approve the equipment. In case of a failed test, the test scope is expanded to double in size. Meaning, one test is performed first. If the outcome is below the P value, two new tests are done. All tests are combined in a total assessment.

Section 3 The random number generator must be able to withstand the set maximum load .

Testing of the random number algorithm call should be carried out to ensure that it can handle the maximum load. There must be no risk of the random number generator restarting or shutting down due to being called too often. It must be clearly indicated which evaluation methods have been used.

Section 4 Functions that do not generate outcomes in games but which depend on random elements must be based on the results of the random number generator .

General advice: Such functions may include a randomised sequence or placement at a poker table during a tournament.

Section 5 Calculations based on a random number generator must have a correct standard deviation and correct probability distribution . The numbers, symbols or events resulting from the random number generator must correspond with the rules set for the game involved.

General advice: If the random numbers are translated into cards, for examples, there should be four aces, four kings, etc. in a normal deck, if the game uses a normal deck.

Section 6 The calculations of the random number generator must correspond to the events registered in the gambling system .

Section 7 If the rules of the game requires a sequence from a random number generator to be set in advance, it is only allowed to generate new sequences if this is stated in the rules.

Section 8 Unless otherwise specified in the rules of the game, the results from a random number generate must always be independent of events in the current or previous games.

The licence holder must account for the rules that may influence the course of events in Section 8 in order for the accredited body to be able to evaluate the technology.

Drawing equipment without a random number generator Section 9 The results from drawing equipment without a random number generator must be

random, statistically independent, have a correct standard deviation and correct

probability distribution .

General advice: The outcome tests that may be used on generated random numbers include the X2 test (chi-squared-test), the autocorrelation test and the runs test.

Section 10 Independent drawing equipment without a random number generator must be kept locked in with limited access.

Drawing equipment for live casino games Section 11 Drawing equipment used in live casino games must be monitored and recorded . The recorded material must show compliance with the rules of the game.

The recording must register date and time.

Chapter 16, Section 5 of the Gambling Act (2018:1138) states that information regarding the operation of the gambling system must be saved for at least five years.

Section 12 There must be physical access control for the premises used for live casino games and any associated areas. There must separate access control, at least for different employee categories.

General advice: Dealer, floor manager, supervisor, surveillance staff are examples of various types of employees that should be categorised into different authorisation groups.

Chapter 14 Functional requirements when agent terminals are used for bets

and control

Control of software and technical specifications in regard to information must be verified to assess whether the functions correspond to the regulation.

Random inspections are performed on site by the Swedish Gambling Authority.

Chapter 14, Section 4 enters into force on 1 January 2020. If the functions are already available at the time of the assessment, they must be described in an inspection report.

Agent terminal Section 1 The gambling system must be able to clearly identify an agent terminal.

General advice: An agent terminal is part of the gambling system and identification can be made through validation of a checksum for the terminal’s individual parts, or similar procedure to ensure the integrity of the whole system.

Section 2 Communication between an agent terminal and the other parts of the gambling system must be protected during transfer by encryption or equivalent.

Section 3 Player or payment transactions sent from an agent terminal to other parts of the gambling system must be validated by the terminal at the end of the transaction before printout .

Agent terminal for validation of winnings Section 4 If an agent terminal is used to validate winnings, it must be fitted with a screen intended to communicate information to the player.

The following information must be displayed on the screen that is turned towards the

player

1. form of gambling; 2. bet; 3. cancellation; 4. amount won, or “no win”; and 5. game closed.

Chapter 15 Functional requirements for online games

Chapter 3, Section 1, points 1 and 3 of the Gambling Act (2018:1138) states that there must be a high level of consumer protection, and that the negative effects of gambling must be limited. The licence holder must, for example, provide information regarding which type of games are offered and the costs of gambling. Furthermore, the licence holder must take measures to counteract social and economic harm and problem gambling. The negative effects of gambling must be limited.

A player must be able to see and understand information that enables and active and informed choice. Chapter 14, Section 1 of the Gambling Act (2018:1138) states that the player must be protected from excessive gambling. Section 17 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) states that there must be logotypes with links to self-assessments, restrictions (gambling budget), limitation of sessions and exclusion from gambling. The logotypes must be pinned at the top of all the licence holder’s websites, mobile websites, applications and similar. The logotypes will be provided by the Swedish Gambling Authority. The accredited body must assess whether this provision has been fulfilled.

Game design Section 1 Games with interactive options must have illustrations that clearly show current and possible bets . Games in accordance with the first paragraph must clearly illustrate the possibility of changing or resetting the current bet.

In accordance with Chapter 14, Section 5 of the Gambling Act (2018:1138) and Sections 19 – 20 of the Swedish Gambling Authority’s regula tions and general advice on responsible gambling (LIFS 2018:2), a game may not be designed or programmed to give players the impression of being close to winning, if this is not the case. A game also may not give the impression that the player’s approach o r choices have an impact on their probability of winning, if winning is exclusively down to chance.

Section 2 Each round must last for at least three seconds. The first paragraph also applies to autoplay functions .

Section 3 A player’s participation in a game, and the choices made by the player in the

gambling system, must be optional.

A player must be given a reasonable period of time to consider the consequences of a choice . Repeated choices made by a player in the gambling system must not be able to be placed

in a queue.

General advice: Choices that can be made include “buy”, “pay”, “spin”, “play”, “hold”, “draw”, “double”.

Section 20 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) states that notification of choices influencing the outcome of the game must be shown to the player for at least three seconds before a choice is made automatically.

Visual presentation Section 4 The name of the game must be displayed on all pages associated with that

particular game.

Section 5 The gambling system must have a function that continuously shows the player how long they have been logged in .

Section 13 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) states that the player must be given regular notifications of how long they have been logged in. Chapter 14, Section 1 of the Gambling Act (2018:1138) states that the player must be protected from excessive gambling. The player should have some notion of how much time they spend gambling. Continuously visualising the time consumption to the player allows them to more easily get an idea of how long they have actually spent logged in. The requirement to continuously show the player’s time consumption is not a hindrance or alternative to regular, clear and varied notifications in accordance with Section 13 of the Swedish Gambling Aut hority’s regulations and general advice on responsible gambling.

Section 6 The gambling system must have a function that continuously shows the player their balance throughout the session.

Chapter 14, Section 1 of the Gambling Act (2018:1138) states that the player must be protected from excessive gambling. The player should have some notion of their own gambling. Continuously visualising their balance to the player allows them to more easily get an idea of how much they have actually spent on gambling.

Section 7 The bet on a game must be clearly displayed.

The player’s possible and actual bets, as well as the minimum and maximum bets, must

be clearly displayed.

The gambling system must have a function that clearly visualises the player’s bet, including the total bets in the game .

General advice: An example of when a player’s bet may be included in the total bets is when the player can bet on a combination of things happening in a single bet.

Section 18 of the Swedish Gambling Authority’s regulations and general advice on responsible gambling (LIFS 2018:2) states that all bets must be indicated in SEK. If another currency, credits or similar is used, they must always be indicated in SEK too. Chapter 14, Section 1 of the Gambling Act (2018:1138) states that the player must be protected from excessive gambling. The player should have some notion of their own gambling. Continuously visualising the actual cost to the player in SEK allows players to more easily get an idea of how much they have actually spent on gambling.

Section 8 A player must be informed that there are factors beyond their control , which may affect the game and its outcome.

General advice: Factors that may affect a player include the use of automation or add-ons for automatic features.

Section 9 The outcome of a game must remain visible for a reasonable period of time .

What is considered reasonable must be based on what game it is, the size of the bet, the size of the winnings or losses along with other factors that may affect the extent of the outcome. The important thing is for the player to have a chance to take in the result.

Section 10 Computer-simulated gambling machines must clearly indicate or illustrate which symbols represent a win . If different combinations of symbols lead to a win, these must be clearly indicated or illustrated .

Section 11 If the characteristics of a game change temporarily the game must clearly indicate the current status before the next game.

Section 12 A symbol that is used in a gambling system must have the same shape and

colour throughout that particular game.

Section 13 The number of active decks as well as which cards are included in a particular game must be clearly indicated .

The front of the card must clearly show its suit and rank.

The rules of the game must clearly state when the cards will be shuffled.

General advice: In different games, cards other than the playing cards may be included.

Section 14 If a non-traditional die is used in a dice game, this must be made clear to the player .

It must be clearly indicated which side of a die wins a game.

Section 15 A gambling system must have a function to prevent players playing against

themselves.

A gambling system must have a function to discover and prevent one or more players using the same gambling equipment at the same time .

Section 16 The current pot amount must be visible to all participating players .

Section 17 A player must immediately be informed of winning the pot. Once a pot has been won, all players must be informed of its new value. Information pursuant to the second paragraph must also be available to players who have not participated in the specified pot.

What is considered immediately informed must be based on the type of game in question, the size of the pot, the size of the bet along with other factors that may affect the scope of the pot. The important thing is for the player to have a chance to absorb the information.

Section 18 It must be clearly stated if a pot is not available to a player.

It must be ensured that all information given to the players is correct, regardless of whether or not a pot is available.

1. These regulations and general advice shall enter into force on 1 January 2023. 2. For those who are licensed to provide games pursuant to Chapter 6 of the Gambling Act (2018:1138) before 1 January 2023 and do not provide games online, the regulations apply for the first time on 1 July 2023. 3. Before their entry into force, the regulations may be applied to licence applications that are submitted to the Swedish Gambling Authority after 1 September 2022 and which concern the period after 1 January 2023. 4. The regulations repeal the Authority’s regulations and general recommendations (LIFS 2018:8) on technical requirements and the accreditation of bodies for those responsible for checking, testing and certifying gambling activities.

Chapters 1 and 4 of the Swedish Gambling Authority’s regulations and general

advice on state lotteries and lotteries for matters of public interest (LIFS

2018:4).

Lotteries subject to the Swedish Gambling Authority’s regulations and general advice on technical requirements and accreditation of bodies for inspection, testing and certification of gaming service providers are also subject to the requirements on the technical properties of lottery tickets set out in Chapter 4 of the Swedi sh Gambling Authority’s regulations and general advice on state lotteries and lotteries for matters of public interest (LIFS 2018:4). Chapters 1 and 4 of The Swedish Gambling Authority’s regulations and general advice on state lotteries and lotteries for matters of public interest are provided below. Chapter 1, Section 2 provides definitions of terms used. Chapter 4 states which requirements are applicable to the properties of physical lottery tickets.

In order to clarify to the accredited body which requirements need to be inspected, tested or certified, the requirements are written in bold in Chapter 4.

Chapter 1. Scope and terminology

Section 1 These regulations and general advice apply to those whoare licensed to provide state lotteries in accordance with Chapter 5, Section 1 of the Gambling Act (2018:1138) and those who are licensed to provide lotteries in accordance with Chapter 6, Section 3 of the Gambling Act. The Swedish Gambling Authority may decide on exemptions from the regulations, if this is justified from a safety point of view and otherwise does not pose any risks to the player .

Section 2 Unless otherwise stated, the terminology and names used in the regulations take the same meaning as in the Gambling Act (2018:1138) and the Gambling Ordinance (2018:1475). In these regulations and general advice, the following definitions are used 1. post-drawn lottery ticket: a lottery ticket that is not sealed , where the draw takes place after the purchase; 2. electronic lottery ticket : a physical lottery ticket bearer that can contains electronic components and may contain one or more tickets; 3. physical lottery ticket : a ticket which is not an electronic lottery ticket and is not sold and played online ; 4. distribution draw : a draw where the ticket is included in a draw that determines the value of the winnings ; 5. pre-drawn lottery ticket : a sealed lottery ticket, where the buyer can immediately see whether or not they have a winning ticket ; 6. lifting : removal of layer, such as scratch-off coating, which conceals game information; 7. minitext: a text with a maximum height of 0.4 mm and a minimum length of 35 mm which, without any aids, gives the impression of a line and which is clearly legible in magnification; 8. online validation: connected control of any winning value of the lottery ticket against the licensee's gaming system; 9. relief : letters, figures or symbols that have been thickly coated to give the surface of the paper a raised profile, or letters, figures or symbols that have been punched into the surface of the paper, giving them an indented profile ; 10. reproduction: imaging by means of technical equipment with subsequent

printing or pressing ; 11. game information : information on the lottery ticket that determines whether or not it represents a win; 12. security printing pattern: thin lines of at least two colours and with a maximum line width of 0.10 mm, which intersect at sharp angles. May also be of the line relief type, i.e. where thin solid lines create a design that gives the impression of being in relief (three-dimensional); 13. UV-dead material: a material that does not illuminate when exposed to UV light; 14. UV security feature: an image or pattern printed with UV fluorescent ink. The image/pattern shall only appear when illuminated with UV light at a wavelength of 365 nm and fluoresce in a colour that differs from the background colour on which it is printed ; 15. overprint: image or pattern printed on top of a scratch layer or equivalent, which is designed to give a clear indication of whether the scratch layer has been removed.

Chapter 4 The properties of physical lottery tickets

Section 1 An individual lottery ticket, which is included in a distribution drawing, must be unique . An individual lottery ticket must be attributable to a batch or round in accordance with the licence granted. Section 2 Physical or electronic lottery tickets shall not have such physical defects or markings that could make it possible to screen out the winning tickets. It shall not be possible to read the game information on a sealed lottery ticket . Sealed lottery tickets shall have protection against manipulation and reproduction.

Section 3 If licensees have a certified online validation system, the requirements for lottery tickets set out in Section 4, paragraphs 2-3, in Section 5, paragraphs 1-3, and in Section 6, paragraphs 2-3, of this Chapter shall not apply.

Section 4 For pre-drawn, sealed lottery tickets, where the maximum possible winnings exceed one (1) price base amount, the following shall apply: 1. it shall not be possible to reseal an opened lottery ticket; 2. lottery tickets shall have minitext; 3. lottery tickets shall have a UV security feature; 4. it shall not be possible to read the game information by passing light through it; 5. the game information must not give rise to a relief on the outsideof the seal; 6. the game information shall be safeguarded against alteration; 7. the scratch layer shall have an overprint concealing the game information and control field; 8. sealed control fields shall be safeguarded against lifting and reading.

Section 5 For post-drawn lottery tickets, where the maximum possible winnings exceed one (1) price base amount, the following shall apply: 1. lottery tickets shall have minitext; 2. lottery tickets shall have a UV security feature; 3. lottery tickets shall be printed on UV-dead material; 4. lottery tickets shall have a security printing pattern; 5. the game information shall be safeguarded against alteration.

Section 6 For electronic lottery tickets, where the maximum possible winnings exceed 1/6 of the price base amount, the following shall apply: 1. activation and resetting of the tickets shall leave clear traces; 2. lottery tickets shall have minitext; 3. lottery tickets shall have a UV security feature; 4. the tickets shall have a control field with overprint; 5. electronics and display shall be protected from manipulation.

Appendix 1

Background information for those who intend to apply for accreditation in accordance with Chapters 2 – 3 of the SGA’s regulations and general advice on technical requirements and accreditation of bodies for inspection, testing and certification of gaming services ( ).

ISO/IEC 17021-1 Requirements for bodies providing audit and certification of management systems ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems ISO/IEC 17020 Requirements for the operation of various types of bodies performing inspection ISO/IEC 17025 General requirements for the competence of testing and calibration laboratories ISO/IEC 17065 Requirements for bodies certifying products, processes and services

Chapter 16, Section 3 of the Gambling Act (2018:1138) and Chapter 2, Sections 1 – 3 of the Swedish Gambling Authority’s regulations and general advice on technical requirements and accreditation of bodies for inspection, testing and certification of gaming services state that a large proportion of a licence holder’s gambling services must be assessed by an accredited body. The following is an acco unt of each chapter of the regulation mentioned above, along with information on which accredited body is responsible for assessment.

A gambling company applying for a licence can opt for combinations of certificates/reports from both alternative A and/or alternative B to certify that they meet the requirements. Regardless of whether alternative A or B is selected, the licence applicant must submit the generated certificates and reports to the Swedish Gambling Authority as documentation for their licence application.

The Swedish Gambling Authority’s Alternative A Comment for A Alternative B Comment for B (Output)

regulations and general advice on Accredited for (Output) Accredited for

technical requirements and accreditation

of bodies for inspection, testing and

certification of gambling services

Chapter 4 Information security ISO/IEC 17021-1 ISO 27001 certificate ISO/IEC 17065 Carried out as a management system and ISO/IEC assessment (ISO/IEC 17021-1). Certificate 27006 issued* Chapter 5 Risk and ISO/IEC 17021-1 ISO 27001 certificate ISO/IEC 17065 Carried out as a management system vulnerability management and ISO/IEC assessment (ISO/IEC 17021-1). Certificate 27006 issued* Chapter 6 System changes ISO/IEC 17021-1 ISO 27001 certificate ISO/IEC 17065 Carried out as a management system and ISO/IEC 27006 assessment (ISO/IEC 17021-1). Certificate issued*

The Swedish Gambling Authority’s Alternative A Comment for A Alternative B Comment for B (Output)

regulations and general advice on Accredited for (Output) Accredited for

technical requirements and accreditation

of bodies for inspection, testing and

certification of gambling services

Chapter 7 Functions for game administration ISO/IEC 17025 Test report to show that the ISO/IEC 17065 Carried out as testing activity as part of a product functions exist. certification audit (ISO/IEC 17025). The result is reported in an appendix to the certificate.* ISO/IEC 17020 Inspection report to show that the functions work.

Chapter 8 Information that a gambling system must ISO/IEC 17025 Test report to show that ISO/IEC 17065 Carried out as testing activity as part of a product be able to generate the functions exist. certification audit (ISO/IEC 17025). The result is reported in an appendix to the certificate.* ISO/IEC 17020 Inspection report to show that the functions work.

Chapter 9 Functional requirements in relation to the ISO/IEC 17025 Test report to show that ISO/IEC 17065 Carried out as testing activity as part of a product players the functions exist. certification audit (ISO/IEC 17025). It can alternatively be done as a control activity under ISO/IEC 17065. The result is an integral part ISO/IEC 17020 Inspection report to show that the functions work.

Chapter 10 Repayment process ISO/IEC 17025 Test report to show that ISO/IEC 17065 Carried out as testing activity as part of a product the functions exist. certification audit (ISO/IEC 17025). The result is reported in an appendix to the certificate.* ISO/IEC 17020 Inspection report to show that the functions work.

Chapter 11, Section 4 Game play instructions, payout ISO/IEC 17025 Test report to show that ISO/IEC 17065 Carried out as testing activity as part of a product table and pot the functions work. certification audit (ISO/IEC 17025). The result is reported in an appendix to the certificate.*

The Swedish Gambling Authority’s Alternative A Comment for A Alternative B Comment for B (Output)

regulations and general advice on Accredited for (Output) Accredited for

technical requirements and accreditation

of bodies for inspection, testing and

certification of gambling services

ISO/IEC 17020 Inspection report to show that the functions work.

Chapter 12 Abnormal gambling patterns and - Not included - Not included cheating

Chapter 13 Functional requirements for random ISO/IEC 17025 Test report of the correct ISO/IEC 17065 Carried out as testing activity as part of a product number generators (All parts) function of random number certification audit (ISO/IEC 17025). The result is reported in an appendix to the Chapter 14 Agent terminals ISO/IEC 17020 Inspection report of the ISO/IEC 17065 Carried out as a control activity under ISO/IEC licence holder’s compliance 17065. The result is included in the certificate.* with the requirements.

Chapter 15 Functional requirements for online ISO/IEC 17020 Inspection report of the ISO/IEC 17065 Carried out as a control activity under licence holder’s ISO/IEC 17065. The result is included in games. compliance with the the certificate.* requirements.

The Swedish Gambling Authority’s Alternative A Comment for A Alternative B Comment for B (Output)

regulations and general advice on state Accredited for (Output) Accredited for

lotteries and lotteries for matters of public interest are provided below.

Chapter 4 The properties of physical lottery ISO/IEC 17025 Test report of the ISO/IEC 17065 Carried out as testing activity (ISO/IEC tickets physical lottery tickets’ 17025). The result is reported in an compliance with the appendix to the certificate.* requirements in chapter 4.

*The certificate is provided by a product certification body and includes all requirements set out in the Swedish Gambling Au thority’s regulations, as

specified in the guide. The decision is partly based in the certification body’s own assessments and partly on valid test reports which show that the gambling systems fulfil the requirements of the regulations in those parts that the accredited certification body has not tested.

The accreditation of the accredited bodies should be of the following scope.

Body Accredited in accordance Scope

with current edition of

Certification body for ISO/IEC 17021-1 and ISO 27001 for IAF code 33 and 39** certification of management ISO/IEC 27006 Certification body for ISO/IEC 17065 The Swedish Gambling Authority’s regulations and general advice on technical requirements certification of product and accreditation of bodies for inspection, testing and certification of gaming service providers ( ), the Swedish Gambling Authority’ s regulations and general advice on state lotteries and lotteries for matters of public interest (LIFS 2018:4 including amendements according to SIFS 2024:2).

Test laboratory* ISO/IEC 17025 The Swedish Gambling Authority’s regulations and general advice on technical requirements and accreditation of bodies for inspection, testing and certification of gaming service providers ( ), the Swedish Gambling Authority’s regulations and general advice on state lotteries and lotteries for matters of public interest (LIFS 2018:4 including amendements according to SIFS 2024:2).

Inspection body* ISO/IEC 17020 The Swedish Gambling Authority’s regulations and general advice on technical requirements and accreditation of bodies for inspection, testing and certification of gaming service providers ( ), the Swedish Gambling Authority’s regulations and general advice on state lotteries and lotteries for matters of public interest (LIFS 2018:4 including amendements according to SIFS 2024:2).

*The requirement for an inspection body to be independent is of Type A, and the requirement for test laboratories to be independent corresponds to the requirement set for the inspection body. **IAF code 33: Information Technology, IAF code 39: Other social services (which includes lotteries).