Advanced Search

Resolution Of 6 October 2014, The General Direction Of Management Of The Game, Which Approves The Provision By Which Develop Technical Specifications Of Game, Traceability And Security That T Systems Must Meet

Original Language Title: Resolución de 6 de octubre de 2014, de la Dirección General de Ordenación del Juego, por la que se aprueba la disposición por la que se desarrollan las especificaciones técnicas de juego, trazabilidad y seguridad que deben cumplir los sistemas t

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

TEXT

Law 13/2011, of 27 May, of regulation of the game, establishes the regulatory framework of the activity of play, in its various modalities, that it is developed with state scope, in order to guarantee the protection of the order public, fight against fraud, prevent addictive behaviour, protect the rights of minors and safeguard the rights of participants in games.

The establishment of the technical requirements of Law 13/2011 has been the subject of Royal Decree 1613/2011 of 14 November, which, interpreted in accordance with the additional provision of Law No 3/2013 of 4 June, the creation of the National Commission of the Markets and of the Competition, attributes in the final disposition first, to the Directorate General of the Management of the Game the development of certain technical aspects own of the marketing of the gambling activities covered by the said Act.

The technical specifications to be met by the technical gaming systems licensed under Law 13/2011 of 27 May, regulating the game, were developed in the Resolution of November 16 2011, from the General Management of Game Management.

Elapsed more than a year since the opening of the market, it is necessary to review the Resolution of November 16, in its content and form, based on the accumulated experience.

In its virtue, and prior to the favorable report of the State Advocate at the Ministry of Finance and Public Administration's Secretariat of State of Finance, it agrees:

First.

Approve the provision for the development of the technical specifications to be met by the technical gaming systems enabled in Spain and their control mechanisms that are attached as an annex to this Resolution.

To the gaming activities carried out via text messaging, through fixed or mobile telephone services or audiovisual media, the technical specifications provided for in this article will not apply to them. a disposition incompatible with the nature and characteristics of the game's participation channel.

Second.

This Resolution shall enter into force on the day following that of its publication in the "Official State Gazette".

Third.

The technical systems for licences granted before the date of publication of this Resolution shall be adapted to the same within the maximum period of six months from the date of its entry into force.

A transitional regime of one year from the date of publication of this Resolution is established for the fulfilment of the technical requirements relating to the format and length of passwords set out in " 2.1.12 User authentication and password policy ". If in the course of the six months and the year since the publication of this Resolution the user should renew the password for reasons of loss or expiration, the new password must conform to the established requirements in this Resolution.

Fourth.

Repeal the provision for the development of the technical specifications to be met by the technical gaming systems, approved by Resolution of 16 November 2011, of the General Management of Game Management, to which this provision replaces.

Madrid, October 6, 2014. -Director General of the Game Management, Carlos Hernandez Rivera.

ANNEX

Provision for the development of the technical specifications of the game, traceability and safety that must be met by the technical systems of non-reserved character set of licenses granted under the Law 13/2011, of May 27, of regulation of the game

Index

1. General provisions.

1.1 Object.

1.2 Definitions.

2. User registration, game account, means of payment.

2.1 User registration and participation limitation.

2.2 Play account and participant deposits.

2.3 Means of payment and collection.

2.4 Personal data protection.

3. Game.

3.1 Basic regulation of the game.

3.2 Redirection to domain ". is".

3.3 Percentage of return to participant.

3.4 Award Tables.

3.5 Random Number Generator (GNA).

3.6 Logic of the game.

3.7 Accessorial user terminals and physical terminals.

3.8 User Session.

3.9 Graphical Interface.

3.10 Integration with suppliers and in gaming networks with other operators.

3.11 Disabling a game or a user session.

3.12 Incomplete play.

3.13 Automatic Game.

3.14 Repetition of the move.

3.15 Virtual Players.

3.16 Metamorphic Games.

3.17 Participant in "absent" state.

3.18 Multi-participant Games with host.

3.19 Live Play ".

3.20 Botes, progressive jackpots, and additional prizes.

3.21 Games through "deferred" communication channels.

4. Security of information systems.

4.1 Critical components.

4.2 Managing the security of the gaming technical system.

4.3 Risk management.

4.4 Security Policy.

4.5 Organization of information security.

4.6 Security in communicating with participants.

4.7 Human and third-party resource security.

4.8 Physical and environmental security.

4.9 Communications and operations management.

4.10 Access Control.

4.11 Purchase, development and maintenance of systems.

4.12 Managing security incidents.

4.13 Change Management.

4.14 Managing service availability.

4.15 Information Loss Prevention Plan.

4.16 Business Continuity Management.

4.17 Test penetration and vulnerability analysis.

5. Internal control and inspection system.

5.1 Internal control system.

5.2 In-person inspection and telematics.

6. Game technical system logs and logs.

6.1 Registration and traceability.

6.2 Log based on the merchandising channel.

1. General provisions

1.1 Object. -This provision aims to develop the technical specifications to be met by the non-reserved technical gaming systems of licensed operators under the Law 13/2011, of May 27, of regulation of the game and the mechanisms of control of the same.

The technical infrastructure of the operators will ensure the supervision by the General Management of Game Management of the game operations performed, the obtaining of the records generated during its development and the generation and making available of the General Management of Game Management of any other information that is considered relevant.

For these purposes, specifications for the storage of game operations records and their traceability are set out in the format and in accordance with the procedure established by the Directorate-General of Game Management and details the security requirements of the information systems used for the game, both physical and logical, as well as the organization and management of the game.

1.2 Definitions. -For the purposes of this provision, the terms used in this provision shall have the meaning set out in this paragraph.

1. Technical game system: The technical system of the game is understood to be the set of equipment, systems, terminals, instruments and software, as well as the procedures necessary for the control of its correct operation, used by the operator for the organisation, exploitation and development of the gaming activity. The game technical system supports all the operations necessary for the organization, exploitation and development of the game activity, as well as the detection and recording of the corresponding transactions between the participants and the operator.

The basic elements of the technical gaming system are the central gaming unit and the internal control system. The technical game system will provide the necessary information for your control in Spanish. In case of not being available in Spanish, the General Management of the Game Management may require its translation, on a permanent or on-point basis.

2. Central Gaming Unit: The central gaming unit is the set of technical elements needed to process and manage the operations performed by the participants in the games. They are part of the central gaming unit, gaming platform and gaming software.

3. Gaming Platform: The gaming platform is the software and hardware infrastructure that constitutes the primary interface between the participant and the gaming operator and provides the participant with the necessary tools to open and close their game. account, record and edit your profile information, deposit or withdraw funds from your gaming account, view the details of the movements in your account, or a summary of them.

The gaming platform includes any website that displays relevant information to the participant about the games offered by the operator, as well as any client software that the participant has to download for power interact with the platform.

The gaming platform allows the operator to manage the participant's gaming accounts, as well as the game's financial transactions, report game results, enable or disable records and accounts and set all configurable parameters.

The following components are part of the gaming platform:

• The databases that collect the personal data of the participants in the games, those relating to the totality of the transactions made by the participants and the information regarding the results of events or sporting events, coefficients, etc.

• Payment gateways that allow economic transactions to be performed between the participant and the gaming operator and that contain the logic necessary to transfer funds from the payment means employed by the participant to the operator and from this to the participant.

The gaming platform must meet the technical requirements set forth in this provision.

4. Game software: It is understood by game software each of the modules or software components that allow to manage each of the games, to authorize and implement the rules of each one of them and to which it is accessed from the platform of game.

5. Random number generator: The random number generator, also known by its acronym GNA, is the software or hardware component that, by means of procedures that guarantee its randomness, generate the numerical results that are used by the operator for the determination of the results of each of the games in which it is used.

By a process called escalation, the raw result obtained by the random number generator will be converted into a value within the range of values that each game supports (52 card values, n bingo numbers). These numbers, through the process of translation or mapping, are converted to the symbols used by the game (cards, balls, etc.).

6. Internal control system: The internal control system or SCI, is the set of components intended to record the transactions made in the development of the games in order to guarantee to the General Management of the Game the ability to maintain a permanent control over the operator's gaming activities.

The internal control system will consist of the capture and the secure database or the gaming operations store.

7. Captor: The capture is the component of the internal control system of the operator intended for the capture and recording of the monitoring and control data established by the General Management of the Game Management, its translation and its storage on the device called the gaming operations store.

8. The secure database or gaming operations warehouse: The secure database or gaming operations store (hereafter, warehouse) is the device located in Spain that contains the monitoring and control data introduced by the This is a time for you to access the General Management of the Game. The information extracted from the game system by the captor must be stored, with the format and structure established by the General Management of the Game.

9. User registration: User registration is understood as a single registration that allows the participant to access the gaming activities of a particular operator and in which data are collected, among others, that allow the identification of the participant and those that enable economic transactions between the participant and the gaming operator.

10. Game account: A game account is understood to be the account opened by the participant, in a way linked to its user registry, in which the income of the economic quantities destined for the account is charged to the payment of the participation in the gambling activities and the amounts of prizes awarded for participation are paid.

2. User registry, game account, and payment means

2.1 User registration and limitation of participation. -Requirements regarding the identification of the participants in the games and the control of the subjective bans on participation are established in the Articles 26 and 27 of Royal Decree 1613/2011 and are developed in the corresponding Resolution of 12 July, of the General Management of the Game.

This resolution develops the minimum content of the user registry, as well as the internal controls that the operator must set.

2.1.1 Minimum user registry content. The identification of the participants shall be carried out through a user registry which shall contain at least the following data:

-Identification data:

• For residents, tax identification number (NIF) or foreign identification number (NIE). In both cases, the number must be stored in a standardised format.

• For non-residents, an equivalent document: ID card, social security card, passport, driving licence.

• Name and last name.

-Personal data:

• Date of birth.

• Sex.

Home.

• For non-residents, country of residence.

• Nationality.

• Email.

• Phone.

-Tax Residence Data:

• Tax residence code of the participant, in accordance with the provisions of model 763 of the self-settlement of the gambling activities tax, approved in Order EHA/1881/2011, of July 5.

• For non-residents it will be necessary for the participant to provide a copy of the document used for identification.

2.1.2 How to store copy of the contributed documents. The operator shall establish the technical procedures necessary for the preservation of the digital copy of the documents provided by the participants.

2.1.3 Game Contract. The operator shall keep track of the acceptance of the contract and any amendments thereto.

2.1.4 Verification services offered by the General Management of Game Management. The General Management of Game Management provides operators with an online identity verification service and date of birth for participants resident in Spain: the verification service is based on the NIF/NIE of the participant.

The operator will record and retain as many queries as it does to the identity verification system, leaving the date, time, and minute of the query. The data shall be retained, together with those corresponding to the user registry, during the period of validity of the user registry and for the six years following its cancellation or cancellation.

The General Management of Game Management provides operators with two online verification services for the registration of participants in the General Registry of Access to Game Interdictions:

• A verification service for the registration of a participant in the General Register of Access to the Game for participants resident in Spain from NIF/NIE. Operators must use this service to check enrollment in the user registry process.

• A service of consultation of the variations (alts/downs) in the registration in the General Register of Access to the Game, corresponding to the participants that the operator has previously verified. Operators must use this service every hour to verify the variations in the registration in the General Register of Access to the Game of their participants.

The operator will record and retain as many queries as the General Registry of Access to the Game Interdictions, leaving the date, time and minute of the query. The data shall be retained, together with those corresponding to the user registry, during the period of validity of the user registry and for the six years following its cancellation or cancellation.

2.1.5 User registration activation and participation limitation. The operator shall have a documented registration and user activation procedure which shall contain the requirements for identification and limitation of the participation set out in Articles 26 and 27 of Royal Decree 1613/2011 of 14 November. on the development of Law 13/2011, of 27 May, of regulation of the game, regarding the technical requirements of the activities of the game.

The operator is responsible for the accuracy of the data contained in their user records and for the correct identification of the participants in the games they organize or develop. The operator shall also have a sufficient identity and date of birth verification service to determine the accuracy of the registration. This service may be provided by third parties providing professional identity verification services.

Operators must register and retain all the arrangements, consultations and requirements they have made for the verification of the data provided by the applicants, as well as how many documents would have been received or used for this purpose. The data shall be retained, together with those corresponding to the user registry, during the period of validity of the user registry and for the six years following its cancellation or cancellation.

2.1.6 Periodic Review of User Records. The operator shall establish a technical procedure, which allows for the periodic review of user registries in the terms set out in Article 26.3 of Royal Decree 1613/2011 of 14 November, for the development of Law 13/2011, of May 27, game regulation, as regards the technical requirements of gaming activities.

2.1.7 Cancellation of the user registry. The operator will retain the data for the cancelled user records. The registration details the time of cancellation and the reason.

2.1.8 Suspension by inactivity. The operator will keep a record of the user records suspended by inactivity in which the suspend date will be included.

2.1.9 The precautionary suspension of the user registry. An operator may temporarily suspend the participant who has, in his view, a collusive or fraudulent conduct or who has permitted the use of his/her user registry by third parties until the facts are proven.

2.1.9.1 Measures to prevent fraud and money laundering. The operator shall have procedures for the detection of fraud and money laundering. The procedures shall include the prompt notification of suspicious actions to the competent public bodies for their investigation.

In live betting games, the operator will have measures to mitigate the risk that some players may gain advantage over other players by betting on information about a certain outcome or after a event that fundamentally alters the odds of the bet.

2.1.9.2 Registration and communication regarding the precautionary suspension of the user registry. The operator will keep a record of suspended users. The record will include the date and reason for the suspension.

The DGOJ will establish a telematic procedure through the electronic headquarters for the purpose of operators reporting monthly on blocked or suspended accounts.

2.1.10 Single active user registry. The operator shall establish the procedures and mechanisms necessary to ensure the requirement of single active user registration per participant in Article 26.2 of Royal Decree 1613/2011 of 14 November for the development of the Law 13/2011, of May 27, of regulation of the game, regarding the technical requirements of the activities of the game.

2.1.11 Identification for access. Once the registration process is complete, a single user identifier will be assigned to the participant. Access to the user registry and the game account must be reserved exclusively to the registrant.

2.1.12 User authentication and password policy. Access to the user registry must have security mechanisms to authenticate the user on the platform.

User authentication can be performed by using passwords. The password policy must include at least the following minimum requirements:

• An initial user password must be set, either by default or by the participant.

• During the process of defining the user password, the participant must be informed about good practices in choosing secure passwords.

• The minimum password length will be eight characters or digits, and will include at least three of the following groups: numbers, lowercase letters, capital letters, and other symbols.

• The password may not contain any of the following: the user name, the pseudonym, the name or last name or the date of birth of the participant.

• A password change reminder must be offered to the user at a minimum annual frequency, although it is not mandatory for the user to make the change.

• The user and password identification mechanism should be blocked if more than five failed access attempts occur on the same day. The operator may set a lower limit to this requirement.

The operator system will be designed to require participant authentication before each user login, and in the case of password use, the introduction of the password. The system will not use cookies or other mechanisms to prevent user authentication or password introduction.

The operator will be able to provide other user authentication methods whenever they offer a higher level of security than the password.

The system will keep track of all access attempts, either with or without success, for subsequent audit.

The operator will have a documented user access security procedure in which it will be described:

• The way in which the user registry is protected from unauthorized access.

• The existence or not of an indirect means, or assisted by operator, of accessing the user registry, after overcoming questions before granting access or renewing it.

• The treatment of missing user IDs or passwords.

• The operator will have a procedure to detect inactive accounts for a reasonably long time and will require a higher level of authentication than normal or additional verifications through the service of customer service, before allowing the resumption of gaming activity, especially withdrawals. The inactivity time threshold for requesting an additional authentication or verification level defined by the operator cannot be longer than six months.

• The operator will also have a procedure to detect within reasonable access unauthorized access to the participants ' account, attempts to impersonation or access their personal data.

• In addition, the operator will have a procedure to detect sudden changes in the behaviour of a participant, and in particular of the amount of deposits or withdrawals, and will initiate some action to prevent the game account can be accessed by a third party.

2.1.13 Information to the participant about your last connection. After the user is authenticated, the system will show you the date and time of your last access.

2.1.14 Registration of the session configuration for the game of machines of chance. In the case of machines of chance, operators shall record and retain the data relating to the user's configuration of each of their sessions for the game of machines of chance, as set out in Article 14 of this Regulation. Order HAP/1370/2014 of 25 July, for which the basic regulation of the game of machines of chance is approved.

2.2 Play account and participant deposits.

2.2.1 Game account functionality. When the operator manages funds deposited by the participants, it shall use a gaming account to maintain the accounting record of the transactions.

Each user record will have one or more game accounts linked to it. Of the accounts linked to the same user registry, at least one shall allow the deposit and withdrawal of funds. The transfer of funds between the different gaming accounts linked to the same user registry shall be immediate and free for the participant. Each game account will allow to pay for participation in one, several or all of the games offered on the platform.

The game account will reflect all transactions involving an alteration of the participant's balance, such as deposits made by the participant, charges for the amount of participation in the games, and for the additional services that the operator may provide, the credits for the bonuses offered by the operator and the prizes obtained by the participant.

The game account will be denominated in euro.

The corrections, cancellations or adjustments will be reflected in separate notes, without, in any case, the original transaction corrected, cancelled or adjusted.

You must register any bets that have been cancelled by the operator, indicating clearly the reason for their cancellation.

The accounting notes in the game account will allow you to know clearly the nature of the transaction and the time it takes place.

2.2.2 Participants ' deposit control procedure. The obligations of the operator in relation to the funds of the participants are those set out in Article 39 of Royal Decree 1614/2011 of 14 November, for which the Law 13/2011, of 27 May, of regulation of the game, is developed, in the relating to licences, authorisations and registers of the game, and should be supplemented by a procedure to ensure that it works properly, which at least includes the following controls:

• There will be a record book that will be completed with minimum weekly periodicity in which the balance of the funds deposited by the participants in the user's game accounts will be checked and recorded, the balance of each of the bank current accounts in Spain referred to in Article 39 of Royal Decree 1614/2011, the date and time at which the verification was carried out. and the signature of a person designated by the operator.

• In the event that the balance of funds deposited by the participants is lower than that of the bank's current accounts, the measures to increase the balance of the bank's current accounts will be immediately taken. repeat the check and annotation in the book the following business day.

2.2.3 History. The participant shall have in real time the balance of the game account and the registration of all the shares/units made, at least in the last thirty days.

The participant, may consult in real time a summary, at least per calendar year, of the movements in its gaming account that includes: the initial balance, the sum of the deposits made, the sum of the withdrawals made, the sum of the charges for the amount of the participation in the games and for the additional services that the operator may provide, the sum of the credits for any bonuses accepted by the participant and for the prizes obtained, and the balance final.

The system shall be designed to be able to issue in real time and upon request of the participant a document including the information described in the preceding paragraph and in which the operator and the identification data are recorded. participant. The operator shall have a procedure which allows those users who do not have an active game account in the operator at the time of the consultation to obtain such information through the channels of attention to the operator's users. Upon this request by the participant, once the necessary identity checks have been made, the operator must make the requested document available to the user within a maximum of 10 days.

2.2.4 Game account units. In accordance with the provisions of article 35.2 of Royal Decree 1614/2011 of 14 November, for the development of Law 13/2011 of 27 May, of regulation of the game, in respect of licenses, authorizations and records of the game, the The monetary unit of the gaming account is the euro.

The operator can use other units as bonus points ("bonus") , points to pay entry in tournaments or others. The platform shall record the balance and movements expressed in each of the units.

2.2.5 Ban on transfers between participants. The operator shall establish the necessary technical procedures to prevent transfers between game accounts associated with different user registries.

2.2.6 Promotional Offers. If the conditions of the promotional offers were to establish an amount to accumulate, for example points, the participant must be able to consult the points it has accumulated or those that are left to meet the conditions.

2.2.7 Accounts associated with user records in a different state to asset. User records in a different state than active are restricted in all or part of their operating on the platform. An operator must have a documented procedure of technical controls and checks to ensure that the gaming accounts associated with user registries in a different state than active do not perform undue movements.

2.2.8 Deposit Limits. The operator will keep a record with the modifications to the detailed deposit limits per user record. The registration shall include the date and the reason for the amendment. It must be recorded if the modification was requested by the player or established by the operator.

In addition, the operator must maintain the game's addictive behavior prevention and responsible game prevention tests, which are necessary to request the increase of the deposit amounts or the disappearance of the game. any limit that you have set for your deposit account, as well as historical analysis of the participant's path, in the second request assumptions, or subsequent limits increase requests by a single participant.

2.2.9 Saldo creditor. Without prejudice to other limitations on participation, if there is not enough balance available in the game account at the time the player wishes to participate in the game or a bet, participation in the game must be rejected.

Consequently, no gaming account can present a credit balance as a result of allowing participation in the game without sufficient balance.

2.3 Means of payment and collection.

2.3.1 Registration of payment and recovery operations. The operator shall retain or be in a position to obtain the detailed point of each deposit or withdrawal operation together with all the information associated with each operation, regardless of whether it uses its own or third party means.

Where additional charging services are used, the operator shall retain the information relating to the amount of participation and the game identifier or contest in which the holding took place, and be in disposition to obtain the telephone number and account used to invoice the player's participation.

2.3.2 Withdrawal of funds. An operator shall establish a procedure for ordering the payment method to be used for the transfer of funds within a maximum of 24 hours. This procedure must provide that in exceptional cases of failure not to meet the deadline referred to must be previously notified to the General Management of the Game.

2.3.3 Procedure for the control of payment and recovery operations. The operator shall establish a procedure for the contrast of payment and recovery operations against the notes in the game account or in the game software, which shall include at least:

• Gaming accounts associated with user records in a different state than active do not perform improper movements.

• The verification that the amounts of deposits and withdrawals correspond to the amounts of operations performed through the means of payment.

• The verification that there are no deposits made by the participants above the deposit limits that each of them has set.

• The verification that the withdrawals are ordered within a maximum of 24 hours, with the exception of the causes provided for exceptionally and that would have been previously notified to the General Management of the Game.

The procedure will run at minimum monthly intervals.

2.4 Personal data protection.

2.4.1 Data Protection. The operators shall establish the appropriate technical procedures to maintain the privacy of the data of the participants in accordance with the Organic Law 15/1999, of December 13, of Protection of Personal Data and its regulations complementary.

The operators must also implement the safety measures established in the current data protection regulations and comply with the duty of secrecy imposed by the said system. rules.

2.4.2 Privacy Policy. The operator will publish its privacy policy on the gaming platform.

To complete the user registration process, the participant must give consent to the operator's policy. The platform will record the participant's acceptance and the content of the privacy policy or a link to the text of the same. Any subsequent modification of the privacy policy will require your communication to the user and your acceptance.

The operator will have a technical and operational plan to ensure the privacy of user data.

3. Game

3.1 Basic Game Regulations. -Operator will offer games and modalities according to their enabling titles and the basic regulation of each game.

Operators will have to implement in their system the procedures necessary to meet the requirements set out in the basic regulation of each game and which is set out in the corresponding Ministerial Order and, in The requirements set out in respect of:

• Particular rules of the game.

• Claims of the participants.

• Reporting obligations to participants.

• Promotion of the games.

• Channels and means of participation.

• Goal of the game.

• Participation in the game and limits to participation.

• Development of the game, determination and allocation of prizes.

• Formalization of bets or plays and assumptions of cancellation and postponement.

• Payment of prizes.

The operator will implement a procedure, which will run on a minimum monthly basis, by which it will verify that its offer of play matches the enabling titles it holds, that the modalities and variants within Each type of game is in compliance with the current regulations, as well as the use of the approved software versions.

The operator shall keep a record of the active games at any time, indicating the game, the mode or variant, where applicable, the trade name and the approved version.

3.2 Redirection to the domain ". is". -operator will establish procedures and mechanisms to ensure that all connections made from Spain or with a Spanish user registry to a domain that is owned or controlled by the gaming operator, its parent or its subsidiaries are directed to a website with a domain name under ". is".

To do this, the operator must implement measures that allow, as far as possible, to detect and prevent connections through network technologies whose purpose is to hide the player's IP address.

The operator must have a procedure to check the geolocation of the player's IP, with his country of residence and, where appropriate, the means of payment used, in order to detect possible fraud by of the player.

3.3 Percentage of return to participant.-The operator will determine for each set, mode, or variant, the expected value or range of values for the return percentage.

The operator will implement a procedure to ensure the correct operation of the expected return to the participant, by means of a minimum monthly check that the percentage of return to the participant obtained in each of the games, modes, or variants, corresponds to the expected value or ranges.

In cases where serious deviations are detected, the operator must deactivate affected games, modes, or variants until it determines and subsates the incident. If abnormal operation is confirmed, the operator shall notify the General Management of the Game Management, indicating the cause, the time period, the players and the amounts concerned, as well as the measures taken.

In those games where the percentage of return can depend on configurable parameters on the technical system, such as the prize tables, the operator will keep track of any changes to those parameters.

3.4 Award Tables. -Awards tables, in those games where they exist, will be public and accessible to participants and will include all possible winning combinations and a description of the prize corresponding to each combination.

The information in the awards program should clearly indicate whether the awards are quantified in units of account, monetary unit or in any other unit established.

The prize program information will reflect any change in the value of the prize that may occur during the course of the game. For these purposes, it will be sufficient for the operator to have and display a box in a prominent place in the graphical interface of the game in which the referenced changes in the value of the prizes appear.

When there are jackpots or multipliers of the prizes displayed on the screens, it must be specified if the jackpot or multiplier affects the award program or not.

The operator will keep track of the prize tables for each game, so these changes can be audited.

The prize tables may not be changed during the game, except in cases where this is provided for in the particular rules and the participant is properly informed.

3.5 Random Number Generator (GNA).

3.5.1 Operation of the GNA. The random number generator must meet at least the following requirements:

• The generated random data must be statistically independent.

• Random data must be evenly distributed within the established range.

• Random data must remain within the established range.

• The random data generated must be unpredictable (your prediction must be unrealizable by computing without knowing the algorithm and the seed).

• The generated data series should not be reproducible.

• Different instances of a GNA should not be synchronized with each other so that the results of one can predict the results of another.

• Seed/hemming techniques should not allow for predictions about the results.

• Generation mechanisms must have successfully passed different statistical tests that demonstrate their random character.

The technical system can share a GNA or an instance of the GNA for one or more games if this does not affect the random behavior of the system.

3.5.2 Scaling methods. Scaling methods must meet the requirements of GNAs.

Scaling methods must be linear and must not introduce any bias, pattern, or predictability and must be able to undergo recognized statistical tests.

3.5.3 GNA hardware. In the case of use of a GNA hardware, it must meet the same requirements, adapted to the technical characteristics of the hardware and, if any, prove that the personnel operating it cannot influence the results. In the case of the use of a hardware-operated GNA hardware, the operator must have a procedure to minimise the hypothetical risks that might affect the generation of results.

3.5.4 False in the GNA. The operator must implement a GNA monitoring system to enable it to detect its failures, as well as the mechanisms that disable the game when a failure occurs in the GNA.

3.5.5 Resemilting the GNA. The operator must have a re-issuing procedure of the GNA.

3.6 Logic of the game.

3.6.1 User terminal independent logic. All functions and logic that are critical to the implementation of the rules of the game and the determination of the result must be generated by the central gaming unit, independently of the user terminal.

3.6.2 Application of the GNA in the games. The value range of the GNA must be accurate and not distort the percentage of return to the participant.

The method of translation of the game's symbols or results should not be subject to influence or controlled by another factor other than the numerical values derived from the GNA.

Random events should be governed exclusively by the random number generator and there should be no correlation between plays and others. The game should not rule out any random events, except in cases where that circumstance is covered by the rules of the game.

The game should not manipulate the events of chance, either manually, or automatically, or to maintain a minimum return percentage to the participant.

When the rules of the game require a sequence of random events to be drawn (for example, the cards of a mallet), the events of chance will not be resequated during the course of the game, except in those cases in which the game is this circumstance is contemplated in the rules of the game.

3.6.3 Controls of the logic of the game. The game should be designed to minimize the risk of tampering. Technical, organisational and procedural measures shall be taken to prevent behaviour that would result in deviations from the rules of the game.

The operator will have a documented procedure that describes the measures that you apply on your system to ensure that:

• The game is developed according to the rules of the game.

• Game data is written to the system.

• Resguardos or documents identifying a stake or stake are protected against possible manipulation.

• The system controls the time of placing bets on the market or participation. The time when the marketing is closed must be the one that is established in the rules that regulate the game and in any case it will be before the end of the event that triggers the outcome of the game.

• The system controls the prize fund constituted.

• The winners ' determination procedure works properly, and does not allow winners who do not meet the conditions to be awarded or to give non-winners to those who do so.

• The system will award prizes to participants who appear on the winners list effectively.

• All types of transactions that can be created during the operation of the game, including those dedicated to exception management, system parameter changes, cancellations, actions in manual mode, must register on the system, along with the appropriate audit trail.

Any modification, alteration, or erasure of the data must leave an audit trace, especially when manual intervention exists.

3.7 Accessorial user terminals and physical terminals.

3.7.1 Terminals. They are considered to be terminals to the set of software and hardware elements that interact directly with the participant.

User terminals are those elements that are provided by the participant and may be hardware elements, such as personal computer, mobile phone or smartphone, or software items such as the operating system or the web browser.

Terminal physical terminals are the terminals under the control of the operator for direct interaction with the participant. Both the participant's self-service terminals (kiosks or others), such as terminals intended to be serviced by operator personnel, as well as mixed solutions are included.

3.7.1.1 Identification of terminals. The platform must be able to identify the different types and versions of terminals, and keep track of them. Unless duly justified technical reasons, the platform shall record whether the participant is using a specific solution provided for mobile devices.

If the terminal is installed in physical gaming rooms, casino, or other establishments where they are authorized, the platform must identify the establishment.

3.7.1.2 Terminal functionality. The terminal will only be responsible for the interaction with the participant and the presentation.

The logic of the game or any element of randomness must be performed by the central unit of play independently of the terminal.

The operations performed by the terminal must have a synchronous confirmation of the central gaming unit to be considered formalized, and to extend credentialed bets or deposits.

All transactions made through the terminal will be recorded in the central gaming unit and associated with a person who must have previously authenticated, either a participant, or the operator, his or her technical or personnel authorised by this operator. Records will allow you to identify transactions made from each terminal.

3.7.2 User Terminals. The technical application requirements are then set to the user terminals.

3.7.2.1 Installation of components on the user terminal. If the use of the gaming system requires the installation of any component on the participant's equipment, the express consent of the pre-installation participant must be required.

3.7.2.2 Disadvantage by connection quality. The operator is obliged to introduce in its technical systems all possible means to try to reduce the risk of certain customers being at a disadvantage compared to others due to technical factors which may affect the speed of the connection.

The participant must be informed in cases where the response time can have a significant impact on the probability of winning.

3.7.2.3 Information about the quality of the connection. The system will inform the participant about the non-availability of communication with the gaming system as soon as it detects it.

The gaming software should not be affected by the malfunction of the devices of the final participants, except for the operation of the procedures intended to complete the games or games. incomplete.

3.7.2.4 Reduced functionality for certain user terminals. User terminals that have a smaller graphical interface than others (such as mobile devices in front of personal computers) will be able to offer some content that cannot be fully displayed as in the other terminals. For strictly technical reasons, the platform may offer different functionality in the different types of terminals, for strictly technical reasons.

The participant must be informed of the limitations of information or functionality of the terminal and client application that you are using, and accept it in an express way.

The operator will mitigate the risks arising from the lack of information or functionality in a particular terminal by offering the same information by other means.

Unless duly justified technical impediments, all the information that must appear on the interface must also appear in that of a terminal. When it is not possible to include all the information or links in the game interface, they will be offered from a link, from a menu or from another application of the same terminal.

3.7.2.5 Terminal minimum resources. The platform will not process the terminal games if you do not have all the minimum resources to allow you to play without any technical problems and without disadvantages.

3.7.3 Physical Terminals of Accessory Character. The following are the technical requirements for application to the physical terminals of an accessory character.

3.7.3.1 Treatment of participant data. In order to ensure the security and confidentiality of a participant's information, the necessary measures must be taken to ensure that the data of a participant is not accessible to other participants who may use the same terminal. subsequently. The terminal must not permanently store data from a participant. In situations where a participant's data is temporarily stored, the data will be erased at the end of the user session.

3.7.3.2 Physical Design. The terminal will be designed to minimize the possibility of being manipulated by a third party putting the participant at risk. These effects will be considered logical attacks, as it could be through software manipulation, physical attacks, as it could be through the pinkling of chips or ports, attacks through communications, as well as combined attacks.

3.7.3.3 Terminal integrity. The terminal must also generate a local log or log, where it will record an audit trail of any modification to a software component installed, its removal or new installation, as well as access or access attempts, be it local or remote. These records shall be kept for at least 90 days, the six-year general conservation requirement not being applicable. The technical system will check at least daily that the software components of the terminal are approved.

The terminal will use a system to verify that any software component to install is authentic and has not been altered, as a previous step before any installation of software components.

The terminal will be reasonably designed to detect erroneous or unsafe operation, and should alert the participant and restrict the operation.

When the terminal is being used by a participant, the operator will only be able to use the remote access to the terminal in normal communications for the development of the game with the central gaming unit, for the Quality, security and performance monitoring for scheduled tasks such as downloading content. You can also access the operator to solve problems or technical incidents, provided that the participant is warned. Before allowing any such access, the terminal must authenticate the operator system and establish a secure communication line.

3.7.3.4 Mobile terminals. In the case of physical terminals of a mobile accessory character, the terminal shall include mechanisms that allow the operator to control the location of the terminal.

3.8 User Session. It is called a user session to the time period that a user remains connected to the operator's website, and that includes from valid user authentication on the system to the user's disconnection.

3.8.1 Disconnection by inactivity. The user's idle time off will be at most twenty minutes; after this time, the platform must disconnect the user.

When the operator performs basically one-way communications where the expected behavior of the user is passive, such as in the retransmission of a live sports event, it may be understood that the user is still active even if you do not perform any actions.

If technically possible, the participant will be informed that the session is over.

3.8.2 Registration of user sessions. The platform will keep track of user sessions, in detail of the user login and end times, the authentication mechanism used by the user, and the cause of disconnection or inactivity.

In case the terminal belongs to the user, the platform will allow to identify, if technically possible, the type of device (computer, smartphone or other), the application/version used (browser or application) ), and if any, the IP address.

In the event that the terminal belongs to an operator, it will allow to identify the type and version of the terminal, as well as, if technically possible, the concrete terminal.

3.9 Graphical Interface.

3.9.1 Game data. The name of the game that the participant is playing must be clearly visible on all the associated screens.

The game instructions should be easily accessible. The graphical interface must include all the information necessary for the development of the game. The function of all action buttons represented on the screen must be clear.

The outcome of each play should be displayed, if technically possible, instantly to the participant and maintained for a reasonable period of time.

3.9.2 Participant data. The screen must show the current balance of the participant at least in euros and the bets placed, unit and total.

3.9.3 Awards. The interface shall clearly indicate whether the prizes are shown in euro or in credits. No different representations should be alternated that may confuse the participant.

If you offer random prizes associated with a play or bet, the participant must know the maximum amount that can be obtained from the bet or gamble to be made.

The participant must be informed when the amount of the random prize is determined based on the amount of the play or bet. When the text or graphic elements announce a maximum prize, this prize must be able to be achieved by a single game.

3.9.4 Card Games. Card games must comply with:

• The faces of the cards must clearly show the value of the cards.

• The faces of the cards should clearly show the stick/color of the cards.

• Jokers or wildcards should be distinguished from other cards.

• Using more than one deck in the game should be clearly shown.

• If the cards are shuffled during the game, you should be clearly informed about how often the time is being performed and displayed.

3.9.5 Simulation of real-life elements. Games that simulate elements of real life (roulettes, bombos, or others) must behave as closely as possible to the behavior of these physical elements. The probability of any event occurring in the simulation that affects the outcome of the game must be equivalent to that of the physical device in real life.

3.9.6 Third-party graphical interface. A graphical interface shall be considered to be third-party when the operator does not offer it as part of its platform or when the operator includes a link to its download and next to the link is clearly specified that the operator is not responsible for the same.

The operator must inform participants that they decide to use a third-party user interface in relation to the functionality and information they receive may not be complete.

3.10 Integration with suppliers and in gaming networks with other operators.-The operator will be responsible for the game operations carried out through third parties or suppliers. Third-party technical systems or suppliers shall be considered as part of the operator's technical system and shall comply with the specifications set out in this provision.

The operator must ensure that any integration with the systems of another operator is performed in such a way that it meets the specifications set out in this provision.

3.11 Disabling a game or a user session. -The platform should allow, in exceptional circumstances, to disable a complete set of games, or specific user sessions, leaving the actions and the reason that originated them for further review.

3.12 Incomplete game. -An incomplete game is the one whose result has not yet been produced or, if it has occurred, the participant has not been able to be informed of this fact.

In the face of an incomplete game, the particular rules of the game will determine the performance of the platform, which can either wait for the participant, cancel the game or follow the game until it is completed.

• If the incomplete game is due to a loss of connection from the user's terminal, the platform will display the incomplete game when the participant reconnects.

• The operator must have a documented procedure for managing the unavailability incidents of one, several or all components, including the associated technical measures. Components must perform a self-diagnosis, a check of critical files, and a health check of communications between the various components.

• After recovery, the game technical system should proceed to deal with the ongoing games affected by the outage.

The technical system will keep track of service outages, with their start, duration, and services affected for further review.

3.13 Automatic Game. -If the system offers game strategy tips or automatic play functionalities, such recommendations or functionalities should be truthful and ensure that the return percentage is reached mandatory.

The participant will be guaranteed to maintain control of the game when the automatic game functionality is provided. The participant may control the maximum amount of the automatic game or the maximum bet and the number of automatic bets. The participant will be able to disable the automatic gaming functionality at any time.

When the automatic game functionality is used, the information displayed on the screen (duration, graphic elements or other) will be the same and will present the same characteristics as when the game is not automatic. The interface will additionally display the number of automatic plays that are either elapsed or remaining.

Automatic playback functionality may not disadvantage a participant, and neither the sequence of automatic games, nor any strategy that is advised to the participant shall be misleading.

In the case of games where more than one participant is simultaneously involved, all participants must be informed and accept a participant who has established the automatic gaming functionality.

3.14 Repetition of the play. -The platform must provide the participant with the option to repeat the play, showing it as a graphical reconstruction or an intelligible description to be played by all the lances of the game that may have an impact on their development. The replay option must provide all the information needed to rebuild the last ten items in the current user session.

3.15 Virtual Players.

3.15.1 Virtual players provided by the operator. The operator can use artificial intelligence using virtual players, also called robots, if it is expressly permitted by the regulation of the corresponding game.

In the case of games where more than one participant is involved simultaneously, all participants must be informed and accept the presence of a virtual player.

Virtual or automatic players must be clearly identified in the interface.

The virtual player must not have any technical advantage over the participants, and will not have access to information that is not available to them.

3.15.2 Virtual players used by participants. The operator may provide participants with artificial intelligence by using virtual players or robots, if the corresponding game is allowed to be regulated.

The operator will report on whether or not to allow the use of virtual players or robots by participants. In cases where more than one participant is allowed and involved at the same time, the operator must ensure that the other participants are aware of who is a virtual player or robot. In cases where more than one participant is not allowed and involved at the same time, the participants should try to prevent participants from making use of virtual players, and as soon as they detect their use, they should communicate this to the participants. participants. Participants must have a mechanism to report the existence of a possible virtual player.

The operator will have procedures to detect if a participant is using artificial intelligence techniques.

3.16 Metamorphic Games. -Metamorphic or Evolution Games, should:

• Report the applicable rules at every moment or stage of the game.

• Show the participant enough information to indicate the closeness of the next metamorphosis. For example, if the participant is collecting items, the interface must show the number of items that the participant has collected, those that are required for metamorphosis, or missing to achieve it.

• The probability of a metamorphosis should not be varied according to the prizes obtained by the participant in previous games. Any exception must be previously authorized by the General Management of the Game.

• Information and play should not be misleading or ambiguous.

3.17 Participant in "absent" state. -During a game where more than one participant is simultaneously involved, the platform must allow the user to set a status of "absent" or "pause" that can be used if the participant needs to stop playing for a short period that will never be more than twenty minutes. In "absent" status, the participant does not make new plays. If you make any move your state will no longer be automatically "absent". If the actions do not affect the game (p. e.g., help query) the status of "absent" will be maintained.

3.18 Multi-participant Games with host. -In games where a participant is the host, the host may decide whether to accept any participant or if he only accepts it through an invitation. The host will not be able to exclude participants from the table once they have been previously accepted to it.

3.19 Live Play. -A such effects are called live games for games that use a real croupier or a real game table as a gaming device, when the game is integrated with a retransmission system and online betting.

Participants will be able to view an online relay that allows the game to be followed and the result known.

There should be performance procedures for resolution of incidents that may occur during live gaming operations.

The automatic recognition and registration devices used must be equipped with a manual operating mode that allows the correction of an erroneous result. The participant must be informed that manual mode is active. Each time the manual operating mode is activated, the trace should be left to allow for its subsequent review.

There should be procedures to deal with game interruptions caused by discontinuity in data flow, video, and voice.

3.20 Botes, progressive jackpots, and additional prizes. -Whenever the basic regulation of the corresponding games allows, the operator may create boats, accumulated boats, progressive jackpots or additional prizes.

The platform will clearly inform the participant when it is contributing funds to boats and how a participant can opt for them. All participants contributing to the jackpot must be able to choose to win it throughout the game's development. The description of the conditions of the boat and the requirements for winning it must be communicated to the participant.

The conditions of the pot should include any conclusion or interruption, expected or unforeseen, of the game, as well as technical interruptions to the system.

The operator's system shall keep an accounting associated with the management of the boats that allows the control of the boats, identifying at least:

-The creation of each canister.

-The periods of time each canister has been active.

-The configurable features of the active canister at any time.

-The games or machines that participate or contribute to the pot at any time.

-The balance of the pot at all times, differentiating the contribution to the same from each type of game or machine.

-The prizes awarded on the basis of the jackpot, in detail of the winner, amount and time when it occurred.

-Record manual actions that affect the balance of the pot.

-Transfer or redirect operations to another canister.

-The closing of a canister or the time its low occurs.

The operator must have a procedure that allows control of the boats, ensuring that the boat is created, managed, and awarded in accordance with the rules of the game.

In particular, at minimum monthly intervals, the operator shall check:

• The correct operation and balances and movements of the boats.

• That once the boat is constituted and opened, the conditions do not change until it has been won by one or more participants and their amount made effective.

• That the winner determination procedure works correctly. The procedure should not allow the introduction of winners who do not meet the conditions to be awarded, nor do they not give winners to those who do.

• That the system grants prizes to participants listed as winners.

• If they exist, special attention will be given to the boat redirection systems in which part of the accumulated jackpot is redirected to another fund, where it can be earned later. The canister redirection system cannot be used for the purpose of postponing the award of an award indefinitely.

The inoperativity of the boat must be communicated to the participants by viewing them in their message terminal as "closed boat" or similar. It will not be possible to win an accumulated jackpot that is previously closed.

3.21 Games through channels of communication "in deferred". To this effect the consideration of games "in deferred" will be given those games whose randomness or some of the elements to reach the result have been obtained prior to the start of the interaction of the participants with the game during the game.

The operator shall take the necessary technical, security and organisational measures to prevent the operator, his or her staff, or other participants from obtaining benefits arising from the prior, even partial, knowledge of the elements that can determine the result.

4. Security of information systems

The security requirements of the game technical system that are set are intended to protect user user registries and their associated gaming accounts, as well as ensure that the game develops from correct way.

4.1 Critical Components. -Critical components are the elements whose security needs to be strengthened, as their impact on game development is important.

These are critical components:

• In the user registry, game account and means of payment processing: the components of the technical game system that store, manipulate or transmit sensitive customer information such as personal data, authentication, or economic and those that store the point-in-time status of the games, bets and their outcome.

• In the random number generator: the components of the technical game system that transmit or process random numbers that will be the object of the results of the games and the integration of the results of the number generator random in the logic of the game.

• Connections to the General Management of Game Management.

• The internal control system: the capture and the storeroom.

• Access points and communications to and from previous critical components.

• Communication networks that transmit sensitive participant information.

4.2 Managing the security of the gaming technical system.-The operator must implement a security management system, which will especially protect the critical components referred to in the previous number.

Security procedures should be aimed at implementing specific security measures, based on a risk assessment. The operator should plan for periodic reviews and carry out reviews resulting from significant changes.

4.3 Risk management. Risk management will identify the elements to be protected, and then carry out an identification, quantification and periodic prioritization of the risks to which the technical system of game. Risk management should be reflected in a plan of measures.

4.4 Security Policy. -Operators must have security procedures that will be communicated to all of their employees and, where appropriate, to external collaborating entities.

4.5 Information Security Organization. -Operators should establish a management framework for information security indicating the roles and responsibilities of their personnel.

4.6 Security in communication with participants. -Authentication mechanisms should be adopted that allow the game system to identify the participant, and which, in turn, allow the participant to identify the game.

The operator must establish the systems and mechanisms that ensure the confidentiality of the participants ' communications with their technical gaming systems and, in particular, with the central gaming unit and its replica. Communications will be encrypted in cases of personal data transmission (user registration) or economic (game account).

In connection with communications, the operator shall take the necessary measures to ensure the integrity and the non-repudiation in the cases of the transmission of personal or economic data, and in the transactions of participation in the game.

4.7 Human and third-party resource security. -The operator's personnel safety plan will include training actions, hiring management, changes and completion of the procurement, with special attention to the access permissions to critical components and information.

When the operator needs third-party services that involve access, processing, communication or processing of the information, or access to facilities, products or services related to the game, these Third parties shall comply with all the security requirements that may be required for the rest of the staff.

4.8 Physical and environmental security. -Operator safety plans shall include, in relation to the physical security of the components of the technical game system and its replica, the following:

• Perimeter security for areas that contain critical components and sensitive information: walls, access cards, etc.

• Physical access control to the facilities in which the equipment is located, both for employees and for external personnel, including physical elements, authorization procedures, access records and services surveillance.

• Protection of critical equipment against environmental risks: water, fire, caused by people, etc.

• Protection of critical equipment against power outages and other outages caused by failure in support installations. Electrical supply wiring must be protected from damage.

• Control access to communications cabling if you are transporting unencrypted critical information.

• Maintenance of facilities and equipment.

• Devices that contain information must be securely deleted or destroyed before they are reused or removed.

• Equipment containing information cannot be moved out of secure facilities without the appropriate authorization.

4.9 Communications and Operations Management. -Secure and correct gaming technical system operation must be ensured, as well as communications:

• Critical components must be monitored to prevent different versions of the type-approval from being used.

• Communication between the components of the technical gaming systems will ensure integrity and confidentiality.

• Tasks will be segregated between different areas of responsibility, to minimize the possibility of unauthorized access and potential damage.

• The development, testing, and production tasks will be separated.

• Services provided by third parties should include security controls and metrics in the contracts, and should be periodically audited and monitored.

• Malicious code protection measures will be taken.

• You must regularly make backups with the appropriate frequency and keep them guarded as they are collected in the backup plan.

• Security measures will be taken on the communications network.

• Security measures shall be taken in the handling of portable media as well as safe erasure or destruction thereof, which shall be translated into a documented procedure.

• The clocks of all components, especially the critical ones, must be synchronized with a reliable source of time. The reliable time source may not be the same for each component. The operator shall establish measures and controls to prevent the handling of the time marks or their subsequent alteration, in particular in the audit records.

• All users ' activities, exceptions, and information security events should be generated and saved for a minimum period of two years.

• Audit records will be protected against alteration and improper access.

• System administrator and System operator activities must be logged.

• A periodic analysis of the audit records will be performed. Actions will be taken based on the detected incidents.

4.10 Access Control-Operator and participant staff access must meet the following requirements:

• A documented information access policy must exist, which will be reviewed periodically.

• You must ensure authorized access and prevent unauthorized access by high user controls, access privilege management, periodic review of access privileges, and management policy passwords.

• Users should follow best practices in the use of passwords and properly protect the documentation and media in their workplace.

• Users will only have access to the services they have been authorized to use.

• There will be no generic users and all users will access their own unique user.

• The system must authenticate all access, whether personal, maintenance, or other, from other systems and components (for example, the payment gateway). The inspection personnel of the General Management of Game Management or other personnel acting on their behalf must also be authenticated.

• Networks will be segregated based on the area and responsibility of the task or function.

• Access to operating systems will require a secure authentication mechanism.

• The use of programs to prevent access and security controls will be restricted and controlled.

• User sessions will have a maximum duration of connection duration and a disconnect time for inactivity.

• The IT support staff will have restricted access to the actual application data. The sensitive real data will be located in isolated environments.

• The risks associated with mobile devices will be managed.

• If telecommuting exists, the associated risk will be verified to be managed under the security plan.

4.11 Purchase, development and maintenance of systems. -The impact on security in the decision-making of purchasing, development and maintenance of information systems must be analyzed.

4.12 Security Incident Management-An operator must have a documented security incident management procedure.

All security incidents shall be recorded and the facts, impacts and measures taken shall be clearly and concisely documented.

4.13 Change Management-Pursuant to the provisions of Article 8.5 of Royal Decree 1613/2011 of 14 November, implementing Law 13/2011 of 27 May, regulating the game as regards the requirements Technical and certification reports shall include a list of critical components. The General Management of Game Management may qualify as critical additional components.

From the start of your activity, the operator must have a documented change management procedure, which controls the changes of the equipment and components of the game technical system effectively employed.

a) There will be a formal internal approval process for all changes, which must involve the change request and its approval by the relevant decision-makers.

b) In the case of changes in critical components, it shall be assessed whether this is a substantial change.

c) Change requests and decisions made will be recorded and may be the object of subsequent audit.

d) Copies of the software items ' binaries will be retained for all software versions that have been used in the technical system effectively employed in the last four years. The General Directorate for the Management of the Game may establish the obligation that the procedure for the preservation of the copies of the binaries should include a fingerprint of the binaries.

4.14 Service Availability Management-The operator must have a plan to manage the availability of the service. The operator must consider within the plan each of the following services:

• Participant registration, gaming accounts, including the possibility of deposit and withdrawal of funds.

• Gaming Services.

The plan will indicate the maximum monthly cumulative unavailability time, as well as the maximum recovery time for each service. The operator shall adapt its infrastructure and processes and implement the necessary measures to meet the objectives set out in its availability management plan.

4.15 Information Loss Prevention Plan. -An operator must have a plan that ensures that no data or transactions are lost that affect or may affect the development of the games, the rights of the participants or the public interest and indicate the risk assumed by the operator.

The operator will adapt its infrastructure and processes, and implement the necessary measures to meet the objectives set out in its plan, with the following minimum requirements:

• Copies of the information will be kept in a far removed location from the data you intend to safeguard.

• The copy of the information will be protected from unauthorized access by security measures equivalent to those of the information to be safeguarded.

The operator must have a documented procedure of action in case of loss of information that will include the mechanisms to address the complaints of users, the continuation of the games or bets interrupted, and any other situations that may arise.

In the event of loss of data, the operator must inform the General Management of the Game Management, with immediate character, indicating the actions taken and an estimate of the impact of the loss.

4.16 Business continuity management.-The operator must have a business continuity plan for the maintenance of the operational disaster game, including technical, human and organizational measures. necessary to ensure the continuity of the service and a replica of the central gaming unit that allows the normal development of the activity.

The business continuity plan will determine one or more recovery scenarios indicating for each of them the services retrieved and the maximum time they would be operational. The operator must consider the following scenarios within the plan:

• Access the participants to their user registries and game accounts, with the possibility of consulting the balance and the movements of their associated game accounts. The maximum time to provide these services again will be one week.

• Ability of participants to withdraw their funds. The maximum time to provide these services again will be one week.

• Continuation of incomplete games or pending bets, and payment of prizes validly achieved. The maximum time to provide these services again will be one month.

• Full service of all services.

The operator will adapt its infrastructure and processes, and implement the necessary measures, to make the goals set in its business continuity plan achievable.

In the event of a disaster, the operator must inform the General Management of the Game Management with immediate character, making an estimate of the impact and estimated time of recovery.

4.17 Test penetration and vulnerability analysis. The gaming system must pass a penetration test and a vulnerability analysis, at least on an annual basis. The technical systems or part thereof for information purposes only, where no bets are placed and no access to the user registry or game account, will be exempt from the obligation to perform the penetration tests and the analysis of vulnerabilities.

The technical systems in which the interaction with the player is telephonic or by SMS will also be exempt from this obligation.

The penetration test and vulnerability analysis may be performed by entities other than the entities designated for the security assessment, or even be performed with the operator's own resources in the case to have the appropriate means.

The penetration test will consist of a method of evaluating the safety of a network or a system, by simulating an attack carried out by a third party. The process includes an active system analysis looking for weaknesses, technical failures, or vulnerabilities. The test shall include all public interfaces that guard, process or transmit personal, economic or gaming data.

The vulnerability analysis will consist of the identification and passive quantification of the potential risks of the system. The analysis shall include all components that guard, process or transmit personal, economic or gaming data.

Test and test results must be retained in conjunction with the corrective measures implemented or planned, for further review or inspection.

Before the start of game marketing, the technical system must have successfully passed both a penetration test and a vulnerability analysis. The scope and results shall be valued by one of the designated entities for the certification of safety during the certification process.

In the event that as a result of the test or analysis a very serious security failure was detected, that could put at risk the identity or patrimonial situation of the players or allow their impersonation, the operator will communicate it immediately to the DGOJ along with the action plan that it would have defined. The DGOJ may require the suspension of the affected gambling offer until the failure of the failure.

In the case of minor security incidents, the operator shall adopt an improvement plan and the following test or analysis shall include in the scope the verification of the appropriate remedy for previously detected incidents.

The operator must keep the full report of each test or analysis performed for at least four years.

5. Internal control and inspection system

5.1 Internal control system.

5.1.1 Description. The monitoring and monitoring of the gaming activities performed by the operator shall be carried out through the internal control system (hereinafter SCI), which the operators must implement.

The SCI must capture and record the entire gaming operations and economic transactions of participants located in Spain or with Spanish user registration, whatever the means of participation.

The internal control system must be adapted to the different channels of the games and the interaction with the participants, in such a way that the capture and registration of all the operations of the game.

When different marketing or interaction channels are used simultaneously in a single game, the operator must establish the gateways, interfaces or channels of communication between the entire the means of participation or interaction in the game in order to enable the General Directorate of the Management of the Game to access all the transactions and transactions that would have been carried out by anyone who was the means employed for this.

The operator must establish and maintain a secure line of communication for the access of the General Management of the Game, as well as a service of consultation and downloading of data permanently available to the Directorate General of Game Management.

The SCI is composed of the capture and the game operations store (storeroom).

5.1.2 Access from the General Management of Game Management to the warehouse. The warehouse will keep the following permanently open access for the General Management of Game Management:

• An access through the SFTP protocol for downloading the information.

• An SSH access with read-only attributes and sufficient permissions to list and display the contents of the entire store.

The operator will provide the following authentication methods to the General Management of Game Management.

• For manual, user, and password access.

• For automated download, the operator will configure the key pair exchange (SSH keyswap) for the same user described in manual access.

The operator can use multiple stores. The data must be communicated once, preventing the different stores from containing redundant information.

5.1.3 SCI data model. The General Management of the Game, by resolution, will establish the data model of the SCI.

The data model of the SCI contains the scope of the data to be recorded, the period of update of the data and the technical requirements for availability and access, in the terms set out in the article. 24 of Royal Decree 1613/2011, of 14 November, for which the Law 13/2011, of 27 May, of regulation of the game is developed, regarding the technical requirements of the activities of the game.

Data will be stored in a file structure, in an XML-structured format, as defined in the Monitoring Data Schema (XSD-XML Schema Definition).

5.1.4 SCI time source. All elements of the gaming technical system, including the captor and the warehouse, will be synchronized with a reliable source of time.

5.1.5 Signature, compression and encryption of SCI data. The data to be recorded in the warehouse shall be grouped into lots. Each batch must be signed, compressed, and encrypted by the operator, using the format and procedure described in the Monitoring Data Model.

The operator must provide the General Management of the Game with the public part of the electronic certificate to be used for the signature of the lots. The operator must inform the General Management of the Management of the Game if a revocation of the certificate is produced. The operator may use a certificate from his or her property or order a third party to sign the lots on his behalf.

5.1.6 Capture and Warehouse Performance. The capture must be capable of processing and recording transaction information.

Except for duly justified exceptional situations, the captor must be designed so that the information is processed, formatted, and recorded in the warehouse for a maximum of two times the time defined for time real in the Monitoring Data Model.

The warehouse will have a minimum capacity or flow of communications on the Internet, sufficient for the General Management of the Game Management to be able to access it:

• For data download, you must have a minimum guaranteed flow rate that allows you to download the maximum information to generate within a day, within four hours, using the defined protocol SFTP.

• For data upload, a minimum of 64 kbps is required.

The warehouse as a system must have a performance equal to or greater than the one required to ensure the communications flows described, regardless of other operations that you need to perform.

5.1.7 SCI security. The SCI as a whole, both the captor and the gaming operations warehouse, are considered critical components. The security requirements set out in paragraph 4 are applicable to SCI.

While the data model requires that the information in the warehouse be finally encrypted, it is not required to be encrypted at all times. The encryption key's custody chain must be included in the SCI security design.

The captor must be able to record transactions at all times and on a permanent basis. The operator must design the availability, information loss prevention plan, disaster recovery time, and business continuity by completing this requirement.

5.1.8 Inavailability of the SCI and suspension of the game offer. The operator must suspend the play offer in the internal control system unavailability assumptions.

In the face of an unavailability of the warehouse less than 24 hours, the operator will be able to continue its gaming offer if the captor remains available, provided it is able to continue recording transactions pending return to the warehouse is available. The operator will suspend the game offer in the face of an unavailability of the store greater than 24 hours.

5.1.9 Availability of the SCI. The captor must be able to record transactions at all times and on a permanent basis. The warehouse may not have a monthly cumulative fall time of more than 48 hours.

5.1.10 Information loss prevention plan in the SCI. The SCI is a critical component. Game operators must implement a procedure that minimizes the risk of loss of information to a maximum of 24 hours.

In the event of loss of information in the SCI, the operator must have a procedure for new extraction of the lost information that would allow the loss to be remedied within a maximum of one week.

Any loss of information affecting the SCI should be communicated to the General Management of the Game with immediate character, indicating a loss assessment as well as the plan of measures to be applied.

5.1.11 Quality of information for SCI. The operator must have a documented procedure for monitoring the quality of the SCI data. This procedure must be run on a monthly minimum basis, including at least the following checks:

-That data includes all participants registered with the operator.

-That the economic data includes all the game transactions of the period, including deposits and withdrawals, as well as the figures obtained correspond to the official figures of the operator.

-That participant account balances are properly reflected in the internal control system information.

-That the monthly files for the period have been generated, as well as the daily files for each of the days of the period.

The operator shall keep the documentation of the results of the above checks, including in this documentation the date of completion, the signature of the person responsible by the operator, the main quantities, economic and number of registered users, transmitted in the files of the internal control system, as well as their contrast with the official figures of the operator.

The operator must be ready to, by means of new extractions, rectify the incorrect data within the maximum of one month.

5.1.12 Business Continuity in the SCI. Since the unavailability of the SCI entails the suspension of the offer of the game, the operator must have a business continuity procedure that in the event of an eventual disaster will allow the operating SCI to have a time of less than one month.

Any disaster affecting the SCI must be communicated to the General Management of the Game with immediate character, indicating a loss assessment as well as the plan of measures to be applied.

5.1.13 Conservation of SCI information. The warehouse must retain its data for a minimum period of six years.

Game operators will have an obligation to provide and allow the General Management of Game Management to access online information for the last twelve months of activity recorded in the warehouse.

Operators must have a procedure for the recovery of the information for a minimum period of six years.

5.1.14 Warehouse location in Spain. The warehouse or warehouses of the SCI must be located in Spain, in order to carry out the operations of verification and control of the information. The location and any modification thereof must be communicated to the General Management of the Game.

Backup copies of the warehouse or secondary replica sites in a main warehouse may be located outside of Spain.

5.2 In-person inspection and telematics.-The General Management of Game Management should be able to monitor and monitor any of the elements of the technical gaming platforms of the operators.

To do this, the operator must articulate the necessary mechanisms of secure communication to its technical systems, as well as allow and facilitate at all times the access to them by the General Management of the Game, regardless of location.

The General Management Directorate of the Game will inform the operator of its intention to make a connection to the technical game system by providing a description of the functionalities to which it is intended to access and the time and intended duration for access.

The operator will provide the General Management of the Game with the means to make secure access to the system. The staff appointed by the operator shall collaborate with the General Management of the Game Management for the appropriate access and consultation of other systems and applications. The General Management of the Game Management may make recordings of the user's session and any fact that they are necessary for the exercise of their functions.

If the contrary is not required, it should be understood that the access provided to the General Management of the Game Management is read-only and that it has the level of authorization to access all systems and applications of the game technical system without any filters in the data you can access.

Operator access ended must close secure access.

6. Game technical system logs and logs

6.1 Registration and traceability.-The operator shall keep records and logs of all the decisions of the participant, the operator himself, his staff or his systems, which have an impact on the development of the game, in the register user, on the game accounts or on the means of payment.

In relation to the game's development data, the data must be able to reconstruct all the game's hauls that could have an impact on its development. The Technical Gaming System must also keep records and logs in the security of the information systems. All records and logs must be accessible online for the General Management of the Game for a period of not less than twelve months. The operator may exceptionally and justifiably be exempted from this requirement upon request for authorisation from the General Directorate for the Management of the Game. Without prejudice to the above, the logs and logs must be stored for at least 6 years.

Operators must have a procedure to retrieve this information.

Logs and logs will be designed to avoid the possibility of deletion or modification.

Any erasure performance that the operator must perform, for example, to correct technical errors, must be duly approved by the operator and the supporting documentation of the adjustments made shall be retained.

6.2 Registration based on the marketing channel. -Terminated terminals and participation procedures have specific registration requirements for gaming operations. These requirements shall not affect other communications between the operator and the participant other than the development of the game.

These specific terminals and procedures will apply to the recording of messages sent and received for gaming activities performed via text messaging, through fixed or mobile telephone services or of audiovisual media.