Law 13/2011, of 27 May, of regulation of the game, establishes the regulatory framework of the activity of play, in its various modalities, that it is developed with state scope, in order to guarantee the protection of the order public, fight against fraud, prevent addictive behaviour, protect the rights of minors and safeguard the rights of participants in games.

The additional provision of Law No 3/2013, of 4 June, of the creation of the National Commission of the Markets and of the Competition establishes that " The General Direction of the Management of the Game of the Ministry of Finance and Public Administrations will assume the object, functions and powers that Law 13/2011, of May 27, of regulation of the game, attributes to the extinct National Commission of the Game. "

Law 13/2011, of 27 May, of regulation of the game, establishes, in its article 16, that " the entities that carry out the organization, exploitation and development of regulated games in the ambit of Law 13/2011, of 27 May, Regulation of the game, must have the material software, equipment, systems, terminals and instruments in general necessary for the development of the activities of the game, duly approved ", attributing to the General Direction of I play the approval of the technical game systems, the establishment of the specifications necessary for the operation of the same and the procedure for their certification.

For its part, the Royal Decree 1613/2011, of 14 November, for which the Law 13/2011, of 27 May, of regulation of the game is developed, regarding the technical requirements of the activities of the game, establishes, in its Article 6.1, in fine, that the Directorate-General for the Management of the Game " for the performance of the approvals may be based on reports of certification of the adequacy of the technical systems of the operator's game issued by designated entities for these purposes. " Furthermore, the first paragraph of Article 8 of the Royal Decree 1613/2011 provides that the Directorate-General for the Management of the Game shall establish the minimum content of the reports issued by the entities designated for the certification of the technical gaming systems.

It should be noted that Royal Decree 1613/2011 attributes in the final disposition the development of certain technical aspects of the marketing to the General Management of the Game of the activities of play object of Law 13/2011, of May 27, of regulation of the game.

This Resolution, which is issued in compliance with the mandate of Article 8 of Royal Decree 1613/2011, aims to establish the minimum content of the final certification reports of the entities. designated for the issuance of the same, as well as the models to be used by these entities.

Based on the experience gained since the publication of the first version of the model and content of the final certification report by the Resolution of 12 July 2012, from the Directorate-General for Game, you have proceeded to update and review your content and form.

In its virtue, and prior to the favorable report of the State Advocate in the Secretariat of State of Finance of the Ministry of Finance and Public Administrations, this Directorate General, in use of the privileges conferred, resolves:

First.

Approve the provision establishing the model and content of the final certification report for the technical gaming systems of the operators enabled in Spain, which is attached as Annex I to this Resolution.

Second.

Approve annexes II, III, IV, V, VI, and VII that accompany this Resolution.

Third.

This Resolution shall enter into force on the day following that of its publication in the "Official State Gazette".

Fourth.

Applications for approval of licences which have been awarded to the date of publication of this Resolution may include certification reports on the basis of the model and content set out in the Resolution of 12 July 2012.

Fifth.

Repeal the Resolution of 12 July 2012, of the General Management Directorate of the Game, approving the provision establishing the model and content of the final certification report of the technical systems of the the game operators and the change management procedure is developed.

Against this resolution, pursuant to Articles 114 and 115 of Law 30/1992, of 26 November, of the Legal Regime of Public Administrations and of the Common Administrative Procedure, the person concerned may to bring proceedings before the Secretary of State for Finance, within one month of the day following that of its publication.

Madrid, October 6, 2014. -Director General of the Game Management, Carlos Hernandez Rivera.

INDEX

Annex I. Provision for the model and content of the final certification report of the technical systems of the game operators and the change management procedure is developed.

First. Object and scope.

Second. Definitions.

Third. Procedure and time limit for the approval of technical gaming systems.

Fourth. Description of the technical system licensed.

Fifth. Certification reports.

Sixth. Game service providers.

Seventh. Functionality certification report.

Eighth. Safety certification reports.

Ninth. Compliance with personal data protection regulations.

10th. Change management procedure in the game technical system.

11th. Fingerprints.

Annex II. Descriptive questionnaire for the license.

Annex III. Model and minimum content of the functionality certification report.

Annex IV. Model and content of the security certification report.

Annex V. Relationship of technical requirements for functionality.

Annex VI. Minimum integration test relationship.

Annex VII. Relationship of security technical requirements.

ANNEX I

Disposition by which the model and content of the final certification report of the technical systems of the game operators is established and the change management procedure is developed

First. Object and scope.

This provision aims to establish the minimum model and content of the final certification report for compliance with the requirements laid down in the current regulations for technical gaming systems. employees for the development and exploitation of the games covered by the relevant general or singular licence.

The final certification report shall be issued by one or more of the entities designated for this purpose by the General Management Directorate of the Game and shall be responsible for obtaining the approval of the systems. Operators ' gaming technicians. A report shall be submitted for each general or individual licence granted to the operator concerned.

The final certification report, whose minimum model and content is set out in this provision, reaches the certification of the technical gaming systems of operators with general licensing for development and exploitation of the methods of play referred to in points (c), (e) and (f) of Article 3 of Law 13/2011 of 27 May of regulation of the game, and in respect of the regulated types of game until the date of publication of the game.

Also, this provision develops the change management procedure referred to in Article 8.4 of Royal Decree 1613/2011 of 14 November, for which Law 13/2011, of 27 May, of regulation of the In addition to the technical requirements of the gambling activities, it is in addition to the provisions of paragraph 4.13 of the Resolution of 6 October 2014 of the Directorate-General for the Management of the Game, which is adopted by the Commission. a provision for the development of the technical specifications for the game, traceability and safety to be carried out comply with the non-reserved technical gaming systems subject to licenses granted under Law 13/2011, of 27 May, for the regulation of the game.

Second. Definitions.

For the purposes of this provision, the terms used in this provision shall have the meaning set out in point 1.2 of Annex I to the Resolution of 6 October 2014, by the Directorate-General for the Management of the Game, by the the provision for the development of the technical specifications for game, traceability and security to be carried out by the non-reserved technical gaming systems subject to licences granted under the law 13/2011, May 27, game regulation.

Third. Procedure and time limit for the approval of technical gaming systems.

The initial approval of the technical game systems will be carried out in the framework of the procedure for granting general and singular licenses.

The final report or reports of certification of the technical systems of the operators ' game must be submitted by the person concerned within the term of four months after the notification of the Resolution of granting of the general license or provisional singular license.

The final certification report consists of the following documents:

a) Description of the licensed technical system, completed by the operator.

b) Definitive report of functionality certification.

c) Definitive security certification report.

d) Report on the compliance of operator with personal data protection regulations.

The approval procedure shall be initiated at the time when the final certification report has entered the General Register of the Ministry of Finance and Public Administrations in the form established in the Article 38 (4) of Law 30/1992 of 26 November 1992 on the Legal Regime of Public Administrations and the Common Administrative Procedure. The procedures will be started based on the order of input of the reports.

The final certification report and additional documentation and reports must be submitted in electronic form. Only the identification of the certification, the object of the certification and its executive summary shall be submitted on paper, and duly signed by the person or persons authorised in the certification body.

If the operator performs the telematic presentation of the certification report, he/she shall ensure that the certification report is signed by a certified certificate in the field of the General Administration of the State, in accordance with Law 11/2007, of 22 June, on the electronic access of citizens to Public Services and their regulatory development.

The General Management of Game Management may require stakeholders to provide documentation and information for the resolution of the approval procedure.

Received the final certification report and after its favorable assessment, the General Management of the Game Management will approve the technical systems of the game in accordance with the provisions of Article 16 of the Law 13/2011 of 27 May of regulation of the game, within a maximum period of six months from the notification of the granting of the licence, without prejudice to the extension of the time limit cited for the time that the person concerned would have used for to meet the requirements which, following the submission of the final certification report, practice the General Management of Game Management.

Fourth. Description of the technical system licensed.

For the description of the technical system licensed, the following documentation must be provided:

-Updated description of the technical system.

-In the case of singular licenses, the particular rules.

-The operator's descriptive questionnaire.

The operator's descriptive questionnaire is a document prepared by the operator, which includes structured information regarding the exercise of its activity, its offer of play, its suppliers and its contacts.

The content of the questionnaire completed by the operator must match that of the final certification reports presented in those aspects that are common. Otherwise, the operator must justify the existing differences.

Fifth. Certification reports.

The operator must present a definitive certification report of the functionality of the technical gaming system and a definitive report of certification of the safety of the technical game system used for the development and execution of the game object of the corresponding license.

The final certification report for the functionality of the gaming technical system must be issued by one of the entities designated by the General Management of the Game Management for the certification of software game.

The final safety certification report must be issued by one of the entities designated by the General Management of the Game Management for information systems security certification.

Definitive certification reports must prove that the technical system effectively employed by the operator for the development and operation of the game subject to the corresponding license meets the technical requirements required by the current gaming regulations, pronouncing on the state of the technical game system used to the date of its presentation.

The final certification reports to be provided by the operator after the granting of a general license must reach the user registry, the game account, the management of the charges and payments, the system internal control and the different terminals or applications that allow participant access.

The final certification reports to be provided by the operator after the provisional grant of a singular license must be reached with the game software and, if applicable, the random number generator, the internal control system and the different terminals or applications that allow participant access.

The operator concerned may submit a single certification report only, irrespective of whether it is applicable in the approval processes of one or more of the licences granted to it. In this case, and after the first submission of the certification report, the reference to its contribution and the identification of the procedure in which it has been carried out shall be sufficient.

The report will be made entirely in Spanish. The annexes, evidence or supporting documentation of the report may be collected in Spanish or in the original language in which they are drawn up, in which case the General Directorate for the Management of the Game may require the operator to the ten-day period, provide the translation into Spanish of any of the annexes or documents initially provided in another language.

Sixth. Game service providers.

The gaming technical system effectively employed by the operator for the development and exploitation of the game subject to the license shall comprise the systems of all the gaming service providers involved in the solution. complete.

The requesting operator must be responsible for the approval of the complete game technical system and for the submission of definitive certification reports to be understood by the technical systems of all service providers. game.

Seventh. Functionality certification report.

The final functionality certification report will assess compliance with the technical requirements of the game technical system effectively employed by the operator for the development and exploitation of the game object of the game. license.

A single report covering the full scope will be presented in the general licenses.

Multiple reports may be presented in singular licenses when the software of the games or modes included in a report is completely independent of the software of the games or modes of other reports. In any case, each report shall demonstrate compliance with all technical requirements for the games and modalities included as well as the internal control system and the integration with the gaming platform.

The minimum model and content of the definitive functionality certification report is the one set out in Annex III to the Resolution approving this provision.

The final certification report for the functionality will consist of at least three test sets or analyses:

a) Testing for assessment of compliance with technical requirements:

For the assessment of compliance with the technical requirements, the certification body may choose the test or evidence that it considers most appropriate. The relationship of technical requirements is described in Annex V to the Resolution approving this provision.

The certification entity issuing the report may perform any of the tests referred to in a different environment than the one effectively employed by the operator for the development and exploitation of the game subject to the license, but the In any case, the certification issued must refer in any case to the technical game system which is effectively employed by the operator. In cases where different environments are used by the operator, the certification body must certify under its responsibility that the results obtained in the test environment are extrapolable to those of the operator. have been obtained from having been made in the technical system effectively employed by the operator for the development and operation of the game covered by the licence, having analysed that any differences between the test environment and the Effectively employed game technical system does not affect the quality of the test result performed.

b) Specific analysis of relevant functionalities:

The certification entity must perform a specific analysis of certain functionalities of special relevance.

In general license cases, the checks on identity and the causes of subjective prohibition will be analyzed and measures to combat fraud and money laundering will be evaluated. In the case of singular license, the logic of the game will be analyzed, and, when applicable, the percentage of return to the player and the random number generator.

c) Integration tests:

The certification entity must design and perform the necessary integration tests to demonstrate compliance with the requirements in the game technical system effectively employed.

In the case of initial approval, the integration tests must be carried out in the technical system of the game effectively employed by the operator for the development and operation of the game which is the subject of the licence. use a different environment for these purposes.

In the case of subsequent certifications, in the context of a substantial change management, the integration tests may be performed in a different environment than the one effectively employed by the development operator and exploitation of the game covered by the licence. In cases where different environments are used by the operator, the certification body must certify under its responsibility that the results obtained in the test environment are extrapolable to those of the operator. have been obtained from having been made in the technical system effectively employed by the operator for the development and operation of the game covered by the licence, having analysed that any differences between the test environment and the Effectively employed game technical system does not affect the quality of the test result performed.

The integration test set must comprise at least those described in Annex VI of the Resolution approving this provision.

Integration tests are intended to analyze actual data generated during the development and marketing of the gaming activity by the operator. These integration tests with real data require that the game technical system has at least one month of data, and cannot be completed by testing or simulations. In cases where, at the time of submission of the final certification report, the operator has not initiated the development of the gaming activity, the report may be submitted without providing the result of the above tests, if The approval shall be conditional upon the presentation of the result of the approval and its favourable assessment by the Directorate-General for the Management of the Game. The results of the tests carried out for the analysis of actual data generated during the development and marketing of the gaming activity, if not presented together with the final certification report, shall be presented in the three-month period from the start date of the corresponding play activity.

The definitive functionality certification report will include a copy of the certified software binaries and a fingerprint of those components that are qualified as critical.

Eighth. Safety certification reports.

Safety certification can only be carried out on the technical game system effectively employed by the operator for the development and exploitation of the game which is the subject of the corresponding licence, in relation to the effectively implemented procedures, processes, plans and security measures.

The operator may ask the certification body for a single safety certification report which reaches the entire gaming technical system, in order to be able to use it in the approval processes of each one of the licenses that would have been granted to you.

In cases where one or more gaming service providers are part of the gaming technical system effectively employed by the operator for the development and exploitation of the game object of the corresponding license, the The applicant operator shall submit a final certification report on the safety of the technical infrastructure of each of the suppliers.

The minimum model and content of the definitive safety certification report is the one set out in Annex IV to the Resolution approving this provision.

The final safety certification report will consist of two parts. In the first, the certification body shall demonstrate compliance with the safety requirements, the list of which is set out in Annex VII to the Resolution approving this provision. Partial validation of compliance with the technical safety requirements shall be possible where the safety management system under certification has an ISO 27001 certification with the same scope as the date of the certification. Application for approval. The safety requirements which may benefit from this recognition are set out in Annex VII. The certification body shall attach a copy of the ISO 27001 certification, in which the consignee clearly states, the scope of the certification and its temporary validity.

In the second part, the certification entity must perform specific audit analysis with respect to the critical component relationship, change management, business continuity management, and loss prevention information.

Ninth. Compliance with personal data protection regulations.

The operator will present a descriptive report on the compliance of personal data protection regulations with the final certification report.

This report will be unique by operator and will result from application to the different general and unique licenses from which it is a holder.

The General Management of the Game, in compliance with article 16 (4) of Law 13/2011, of May 27, of regulation of the game, will request to report to the Spanish Agency of Data Protection.

10th. Procedure for managing substantial changes in the technical gaming system.

The production of any substantial modification affecting a critical component will require the prior authorisation of the General Management of the Game after the submission of the relevant report certification. The General Directorate for the Management of the Game shall decide on the authorisation of substantial changes of critical components within one month from the date of receipt of the operator's request.

The General Management of Game Management may qualify as critical other additional components to those found in the definitive certification reports or to which the operator has qualified as such.

In the event of extraordinary emergency situations affecting security, duly accredited and communicated to the General Management of the Game, the operator may make substantial changes to the components critical and subsequently ask for their authorisation. In these cases, for the purpose of obtaining the approval, the operator shall submit to the Directorate-General for the Management of the Game, together with the certification report, a report showing the exceptional circumstances and the risk to the security of the technical gaming system.

From licensing until the operator performs the definitive certification reports, the operator may request authorization for the production of substantial changes to be made. on the technical game system in accordance with the defined substantial change request procedure. However, the time limit for resolving the application for authorisation of such substantial changes shall be postponed until the approval of the technical system for the technical project assessed for the granting of the licence is postponed.

After obtaining the approval, the operator shall draw up quarterly a descriptive report of all the changes made to the technical game system and notify the General Management of the Game. The following documentation will be included:

-An executive summary, in Spanish, that explains in a qualitative way the changes made.

-The description of the technical system that is the subject of an updated license, with the content described in the fourth article of Annex I to the Resolution approving this provision.

The General Management of Game Management may establish the obligation that the quarterly descriptive report of all changes made to the technical gaming system include a digital fingerprint of the binaries.

The General Management of the Game Management will ask the operator for information about the changes made.

If any changes made to critical components are considered substantial by the General Management Directorate of the Game, it shall require the operator to grant approval of the changes, without prejudice to the possibility of require the operator to withdraw the change until it obtains the relevant approval.

11th. Fingerprints.

With regard to the procedure for obtaining the digital fingerprint of the software referred to in this Resolution, the following must be observed:

(a) The SHA-1 algorithm shall be used, except technical justification for the convenience of the use of another algorithm, which must be previously authorised by the General Management of the Game.

(b) The tool or procedure used to obtain fingerprints, as well as the tool or procedure to validate the fingerprints obtained, must be attached together with fingerprints. The necessary tools must be enclosed in digital support or the location from which they are publicly available and free of charge should be indicated.

(c) In the case of a patent or intellectual property tool, the manner in which the General Management of the Game Management and any other certification body may have free access shall be justified; and rights to use them.

ANNEX II

Operator descriptive questionnaire

The questionnaire will collect information about the operator, its activity and its technical game system for the development and exploitation of the games covered by the licenses of which it is a holder.

The questionnaire will include, among others, the following information:

-Identification data of the operator and the licenses of which it is a holder, as well as the start of its activity.

-Information about your contacts.

-Description of the software vendors.

-Relation of your domains.

-Relation of domains other than ". is" owned or controlled by the gaming operator, its parent, or its subsidiaries.

-Media types used for player identity verification.

-Relationship of the means of payment used and the date of commencement of their marketing. The types of means of payment shall be in accordance with the classification established in the Resolution approving the data model of the information monitoring system for the records of game operations.

-Information regarding co-organized game networks.

-Description of the game offer. Relationship of game variants.

-Description of applications for participant access.

-Description of the communication channels used and the access technologies.

The questionnaire may also include any other data from the technical gaming system that is relevant to the approval activity.

To facilitate your fulfillment, it will be published in electronic form on the website of the General Management of Game Management.

The General Management of Game Management will be able to update the content and format of the questionnaire. The questionnaire to be used will in any case be the last published.

ANNEX III

Model and minimum content of the functionality certification report

The definitive certification report for the functionality is structured in the sections and will present the minimum content that follows:

1. Identification of the certification.

2. Description of the certification object.

3. Executive summary of the functionality certification.

4. Detail of compliance with technical requirements.

5. Detail of the specific analyses.

6. Detail of the integration tests.

7. Description of the place, equipment and dates of completion of the certification.

8. Description of the environments used in the tests different from the one effectively employed by the operator for the development of the gaming activity.

9. Description of the digital support that will accompany the certification report.

1. Identification of the certification

The first page of the report will detail the following:

a) Type of certification report: "Final report of certification of the functionality".

(b) The report identification code: The identification code of the report shall be unique and shall allow for a single reference to be made and its differentiation from any other report issued by the certification body. Each time the certification entity makes any changes to a report, it must generate a new identification code for it.

c) Identification data of the certifying entity.

d) Identifying data from which the report is signed by the certifying entity.

e) Dates of completion of the certification jobs.

f) The issue date of the certification report.

2. Description of the certification object

The certification object shall expose the scope of the technical system of the game to be certified, and shall include at least the following information:

• The identification of the software elements used in the technical system for the development and exploitation of the game object of the corresponding license, with express mention of the manufacturer, name of the product and version. In this list of items, the captor and the storeroom must be included in any case.

• Relationship of the qualified components as critical and footprint of the components. This relationship may be attached in a separate section, as an annex, in response to order criteria.

• The identification of the data processing centers in which they are installed.

• Certified access channels (Internet, SMS, IVR, face-to-face ...).

For general licenses:

• Certified websites and business names.

• Version of the player identity verification web service against which the system queries.

• Means of payment used during certification.

For singular licenses:

• Certified websites and business names.

• Operator role: The operator must be indicated if the operator acts as B2C, B2B or both. In the case of a B2B operator, it must be indicated if it acts as a co-organizer of the game, that is, whether it manages gaming platforms in which it is a member, or other gaming operators are involved, which put together amounts of money. their respective users.

• The game offer under the scope of certification, indicating certified game variants. For each of the games and variants certified, the name defined by the manufacturer, the trade name and, where applicable, the correspondence with the games and variants permitted by the basic regulation shall be indicated.

• Access technologies to the certified gaming technical system, such as:

• Web access.

• Downloadable Client in Flash technology.

• downloadable clients for PC (indicating for which operating systems).

• Native applications for Smartphone, tablets, or other mobile devices (indicating for which operating systems).

• Web access mobile clients, for example, based on HTML.

For the case of the counter sports betting and the cross-bets must be indicated if the offer of the game includes live bets.

When the scope of the certification report includes several game variants, it shall be indicated throughout the report, for each test, analysis or technical requirement, if the assessment issued or any other information that is include references to all variants, or where applicable, only to which they correspond.

3. Executive summary of the functionality certification

3.1 Overall rating of the functionality.

A global qualification for compliance with technical requirements shall be included with the technical gaming system effectively used by the operator for the licence. The rating may be "Compliant" or "Not compliant".

This rating may only be "Compliant" when the certification body considers that the technical system of play effectively used by the operator for the license is in accordance with all requirements resulting from the application.

functionality rating

The analysis result as "Compliant" or "No" is qualified globally compliant "

3.2 Table summary of compliance with technical requirements.

Requirements areas that must be certified for each license are described in Annex V to the Resolution that this provision is approved for.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

Technical requirements have been grouped by area.

A summary table will be presented in the executive summary with the number of requirements each rating receives for each area.

Ratings will be detailed as follows:

Area YYY

	Number of requirements	Number of compliant requirements	Number of non-compliant requirements	Number of requirements does not
Area XXX	7	6	0	1
4	4	0	0

3.3 Summary of specific analyses.

For certain functionalities of particular relevance, the certification entity must perform several specific analyses. In some cases it will be necessary to detail the analysis carried out in a subsequent section.

3.3.1 Analysis of Identity Checks and Bans.

This analysis will apply only to general licenses.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this field

General data

Accepts non-resident participants.	Yes/No.
playing without user registration.	Yes/No. If yes, list the games in which it allows.
for accredit the identity.	Indicate channel relationship: internet, telephone, SMS, face-to-face, others

Checks before you activate the user registry

the identity verification service provided by the General Address of the Game for residents.	Si/No. In case it is used but not in all cases, indicate when.
Other identity check media.	Relationship of other identity check media used.
identification documents for non-residents.	Relation of supported documents to credit the identity of non-residents
majority check.	Yes/No.
the include verification service RGIAJ.	Yes/No.
Perform Linked Check.	Yes/No.

Checks before award credit

the RGIAJ variations service every hour and updates the operator's prohibited list.

Yes/No.

3.3.2 Random Number Generator Analysis.

This analysis will apply only to singular licenses where a random number generator is used, or GNA.

GNA shared.

Rating.	The result of the analysis as "Compliant", or "Not compliant" with respect to the technical requirements in this matter
.	GNA Manufacturer Data
Product and Version.	Name of the software element and version
Footprint.	Digital Footprint of the Binary.
Type of GNA.	It will be indicated: -GNA hardware. -GNA software.
/Pseudorandom.	It will be indicated: -Aleatorium. -The name of the phenomenon on which it is based will be indicated.
One of the following values will be indicated: -GNA Instance not shared with other games. -GNA Instance shared with other games. Indicate which. -GNA integrated into the game software itself. -Other. Describe.
Algorithm.	In the case of GNA hardware the name of the phenomenon on which it is based will be indicated. In the case of GNA software the name of the algorithm will be indicated, as well as the name of the libraries or calls of the operating system on which it is based. In case you are based on an algorithm itself, indicate it.
	Resemilted.	Indicate Yes/Does Not Include Resemilting Procedure.
Length of Space.	Length in bits of space of different random numbers
Relationship statistics.	Relation of the names of the statistical tests that have been performed.

3.3.3 Analysis of the percentage of return to the player.

This analysis will apply only to singular licenses, in those games with a return percentage.

Percentage of return to the published player for the game.

The percentage of return published by the operator for each game. The site where the rate of return is published will be further indicated

3.3.4 Analysis of the game logic and random events.

This analysis will apply only to singular licenses.

Compliance with particular rules of the game.

Yes/No.
Risk Management System for Counterbets.	Custom development indication or product name or service used
Audit of configuration changes using the risk management system parameters of the Counterpart bets.	Yes/No.
Audit of changes made by the operator's staff on the bets.
Event Relation.	Event relationship in which the random number generator intervenes, indicating whether they are presorted.
Audit in configuration using game logic parameters.	Yes/No.

3.3.5 Measures against fraud and money laundering.

This analysis will apply only to general licenses and should describe the measures implemented by the operator for the control of fraudulent or collusive behavior by the player.

existence of technical measures against fraud and money laundering.

Yes/No.

3.4 Summary Table of Integration Tests.

This table shall include the qualification of the test of integration carried out by area, which shall at least include those described in Annex VI.

The nomenclature for additional tests as described in Annex VI shall begin with "X".

The results will be detailed as follows:

Requirement Area and Reference

Rating
Requirements Area A:
A. 1	Test Name	Compliant.
A. 2	Test Name	Does not apply
3	Test Name	Not compliant.
X.1	Additional test name	X.2
	X.2	Table_table_izq"> Additional Test Name	Compliant.
Area B:
	1	Test Name	Compliant
B. 2	Test Name	Do not apply.
X.3	Additional test name	Compliant.

4. Detail of compliance with technical requirements

The technical requirements to be certified for each license are described in Annex V to the Resolution approving this provision.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

This section will detail the compliance of each of the technical requirements. The requirements have been grouped by areas.

Additionally, the following situations need to be documented in the observations space:

-When the reason the requirement might be qualified as "Does not apply".

-When there were incidents, even if they were subsequently subsated.

-When tests have been performed in a different environment than the one effectively employed by the operator for the development of the gaming activity.

Ratings will be detailed as follows:

Requirement Area and Reference

Rating	Remarks
Area X:
Reference	Reference To
Reference B	Not compliant.	Not compliant with requirement due to ...
C Reference	Not applicable.	The requirement is not applicable because of ...

The certification body must deliver an annex where for each technical requirement the evidence of the tests performed and the results obtained are documented.

5. Detail of specific analyses

For certain functionalities of special relevance, the certification entity must perform several specific analyses described in this section.

5.1 Analysis of identity checks and subjective bans.

The certification entity will analyze identity checks and subjective prohibitions.

The analysis should describe at least the following aspects:

-General data:

whether the system accepts non-resident participants.

Yes The system allows you to play without user registration. The certification body shall describe the game or games in which this circumstance may occur.

The relationship of channels that can be used to credit identity: Internet, telephone, SMS, face-to-face, or others.

-The checks performed before activating the user registry:

Yes The identity verification service provided by the General Management of the Game Management for residents is used.

The relationship of other identity check media used.

Most Age Check.

The use of the include verification service in the RGIAJ.

The realization of the linked check.

-Checks made before award credit:

The use of the RGIAJ variations service every hour and the subsequent update of the operator's prohibited list and the states of the affected participants.

5.2 Random Number Generator Analysis.

This analysis will apply only to singular licenses where a random number generator is used, or GNA.

The certification body shall describe the analyses, tests or tests performed to justify the random behaviour of the GNA and compliance with the technical requirements. The supporting summaries or graphs, the number of simulations performed, the parameters used, as well as the confidence interval shall be included.

The certification entity will indicate if there are resemilting procedures and if they meet the technical requirements.

In the event that there are configuration parameters that might depend on the operation of the GNA, they will be described and the configuration settings for which the certification has been performed will be indicated.

5.3 Analysis of the return to the player in the games.

The certification entity must describe the percentage of return to the player posted by the operator for each game. You must also verify the posting site of the percentage.

The certification entity must describe all configuration parameters that may affect the percentage of return to the player, as well as whether the game technical system allows to record the audit of the changes in those settings. parameters.

5.4 Analysis of game logic and random events.

The certification entity, for each of the game variants, must prove that the game's development is in accordance with the particular rules.

The certification entity must analyze certain aspects of the game logic, random events in the game, parameterizable configurations, game accounting, and overall audit capability of any change to be entered in bets or winners manually.

This analysis will apply only to singular licenses.

In the case of bets:

-Risk Management System.

For counterpart bets, the risk management system will be described, indicating whether any commercial application or custom development has been installed for this purpose.

It must be indicated whether the system used is parameterizable or not. If yes, the most important configuration parameters as well as the values configured at the time of certification should be described.

The certification entity will also include in this report if the application keeps a record of the changes made to the system referred to risk management. If this is the case, the database files or tables where this information is stored will be indicated.

Additionally, for operators offering live bets, the measures implemented by the operator must be described in order to prevent the player from placing bets on events that have already taken place or whose result is known ("late betting").

-Audit of bets.

The certification entity must explain the betting management application, and record and trace any modifications that may be made from backoffice applications by the operator's staff, including the following shall be analysed at least:

Changing a bet's data change.

Inserting new bets.

Bets Deleted.

Change Change in Event Result.

Change in award award.

The audit of the changes will be described, as will the way the audit is prevented from handling.

The database files or tables where this audit information is stored should be described.

-Managing the funds.

In the mutual bets, the application that manages the accounting of the funds must be analyzed.

The application will explain the registration and auditing of the gambling fund, the distribution of prizes, the assumptions in which there would be no entries of a category, or any other movement.

In casino games, poker, complementary games and random machines:

-Each of the random events implemented in the game will be described in which the random number generator intervenes. For example if there is an initial mix of cards, the drawing of the letter of the deck if there is no initial mix, the manufacture of the bingo cards, sale of bingo cards, the presorting of the bingo balls, the drawing of a bingo ball if not is presorted, the spin of the roulette, the spin of the rollers on the machines of chance, etc.

-The accounting management of the items and, of the progressive jackpots, must be analyzed in those games where their use is permitted. The amounts wagered, the prizes obtained, the commissions calculated or the progressive jackpots constituted or applied shall be able to be audited.

-Audit of items.

The certification entity must explain the record and trace any modifications that might be made from backoffice applications by the operator's staff.

The audit of the changes will be described, as will the way the audit is prevented from handling.

The database files or tables where this audit information is stored should be described.

-In the event that the software used to implement the gaming logic is configurable, the certification entity must describe and indicate the value of the configuration parameters that are related to the Following aspects:

• Game modes.

• Banking gaming strategy or risk level assumed.

• Maximum amounts.

• Rules of play.

The certification entity must also certify that there is an audit record of any modification of these parameters.

5.5 Measures against fraud and money laundering.

This analysis will apply only to general licenses.

The certification body will describe and evaluate the measures implemented in the technical system of gambling against fraud and money laundering. Documents or evidence collected during certification shall also be attached.

6. Detail of the integration tests

This section will detail the integration tests performed, sorted by areas, which at least will comprise those described in Annex VI to the Resolution approving this provision.

The nomenclature for these additional tests as described in Annex VI will begin with "X".

The result of each test will be rated as "Compliant", "Not compliant", or "Not applicable", depending on the expected outcome and regulatory compliance.

Each test will be detailed as follows:

Area.

In Annex VI.
Reference.	Of Annex VI or "X* **" for additional tests
Name of the test.
Description of the test.
Result.
Type.	According to the classification of test types in Annex VI
Date/time of test realization.
Result obtained.
Rating.
Observations.

As a result, the certification body must deliver an annex in which it will collect and document evidence of the outcome of the integration tests. The evidence to be collected depends on the type of test to be performed and is described in Annex VI to the Resolution approving this provision.

7. Description of the place, team, and completion dates of the certification

This section will describe the work equipment that has been certified, as well as the place (s) and the date (s) in which it was performed.

8. Description of the environments used in the tests different from the one effectively employed by the operator for the development of the gaming activity

In the event that certain tests of the technical game system have been performed in a different environment than the one effectively employed by the operator for the development and exploitation of the game object of the license, the entity of certification should describe in this section the different environments used.

For each of these environments, the test relationship for which each environment was used will be indicated.

9. Description of the digital support that will accompany the certification report

This section will describe the content of the digital media that will accompany the certification report.

The certification report will be accompanied by a digital media, and will be structured as follows:

-Full certification report in digital format.

-A descriptive questionnaire for the certification object in digital format.

-Evidence of the assessment of technical requirements. They will be grouped within a folder named "Technical Requirements".

-Evidence of integration tests. They will be grouped within a folder named "Integration".

-Copy of the software elements of the game technical system, which will contain copies of the binary of the software elements of the certified game technical system. They must be grouped into a folder named "Binary" and will be structured into subfolders with the name of each of the software elements indicated in the questionnaire.

ANNEX IV

Model and content of the security certification report

The security certification report is structured in the sections and will present the minimum content that follows:

1. Identification of the certification.

2. Description of the certification object.

3. Executive summary of the security certification.

4. Detail of the compliance with the security requirements.

5. Detail of the specific audit analyses.

6. Description of the place, equipment and dates of completion of the certification.

7. Description of the digital support that will accompany the certification report.

1. Identification of the certification

The first page of the report will detail the following:

a) Type of certification report: "Final safety certification report" shall be entered.

(b) The report identification code: The identification code of the report shall be unique and shall allow for a single reference to be made and its differentiation from any other report issued by the certification body. Each time the certification entity makes any changes to a report, it must generate a new identification code for it.

c) Identification data of the certifying entity.

d) Identifying data from which the report is signed by the certifying entity.

e) Dates of completion of the certification jobs.

f) The issue date of the certification report.

2. Description of the certification object

The object of safety certification shall be the technical system of play effectively employed by the operator for the development and operation of the game which is the subject of the relevant licence, in relation to the procedures, effectively implemented security processes, plans and measures.

For the purposes of describing the scope of the security certification object, both the data processing centers where the technical gaming system is hosted, and the software installed on them, such as the organizations where the procedures, processes, plans, and security measures are in place.

To describe the object data processing centers that have been certified, the following relationship will be included:

	Street, number	City	Country	Type	Hosting provider social
1
2

The "street", "number", "city" and "country" fields refer to the physical location of the CPD. The "type" field indicates the enclosure mode of the CPD and must match one of the following values: "hosting", "housing", or "own".

The "hosting provider's social reason" field, only to be completed in case "type" contains one of these values: "hosting" or "housing".

For each of the data processing centers, the software elements used in the technical system installed on them must be identified, with express mention of the manufacturer, product name and version.

The relationship of entities responsible for security management, that is, to implement the policies, procedures and safety measures certified in the report, should be indicated.

3. Executive Summary of Security Certification

3.1 Global security rating.

A comprehensive rating of compliance with technical safety requirements shall be included in the technical gaming system effectively used by the operator for the licence. The rating may be "Compliant" or "Not compliant".

This rating may only be "Compliant" when the certification body considers that the technical system of play effectively used by the operator for the license is in accordance with all requirements resulting from the application.

	security rating	The result of the analysis as "Compliant" or "No" will be qualified globally as ".
27001 validation	It will be indicated if the report is used to validate certain requirements from an ISO 27001 certification.

3.2 Table summary of compliance with security requirements.

The technical safety requirements to be certified for each license are described in Annex VII to the Resolution approving this Disposition.

For each requirement, a qualification will have been obtained that can be "Compliant", "Convalidated", "Not compliant", or "Not applicable".

Technical requirements have been grouped by area.

A summary table will be presented in the executive summary with the number of requirements each rating receives for each area.

Ratings will be detailed as follows:

	Number of requirements	Number of compliant requirements	Number of validated requirements (ISO 27000)	Number of non-compliant requirements	Number of requirements does not apply
Area XXX	7	6	0	0	1
4	3		1	4	4	0	0

3.3 Summary of specific audit analyses.

For certain security areas of special relevance, the certification entity must perform several specific audit analyses that are described in a subsequent section.

This section will point to an executive summary of these:

3.3.1 Audit analysis of critical components.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the correct identification of critical components.

3.3.2 Change Management Audit Analysis.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this field

3.3.3 Audit analysis of business continuity management and prevention of loss of information.

Rating.	The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this field. The result "Compliant" represents the compliance of the certification entity with which the operator's technical system allows the recovery or loss times to be reached data analyzed in this section
Maximum disaster recovery time.	The worst of the maximum recovery times for a disaster, or RTO of the English "recovery time objective" from among the provided by the operator.
time of loss of information in the event of a disaster.	The worst of the maximum times of loss of information in the event of a disaster, or RPO of the English "recovery point objective" provided by the operator.

4. Detail of compliance with security requirements

The technical safety requirements to be certified for each license are described in Annex VII to the Resolution approving this Disposition.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

This section will detail the compliance of each of the technical requirements. The requirements have been grouped by areas.

Additionally, the following situations need to be documented in the observations space:

-The reason why the requirement might be qualified as "Does not apply".

-When there were incidents, even if they were subsequently subsated.

In the event that the possibility of validation of certain requirements is made using an ISO 27001 certification, the "Convalidated" rating shall be used and in the field of observations "ISO 27001" shall be indicated.

Ratings will be detailed as follows:

Requirement Area and Reference

ISO 27001

Rating	Remarks	Documentary Reference
Area X:
Requisition AA.	Compliant.		Document XXXXX section
Not compliant.		Not compliant.	Not compliant because of ...
Requisition YY.	Not applicable.	The requirement is not applicable because of ...
Requisition ZZ.	27001

The certification entity must deliver an annex in which it will attach the security documentation, as well as all evidence to verify compliance with the requirements.

In those cases where there is documentary support of the policy or procedure, it should be noted in the field of observations, the documentary reference as well as the epigraph where compliance is supported.

The certification body must demonstrate the effective application of the security controls in the game technical system effectively employed. For this purpose, additional tests shall be described for the documentary check that has been carried out.

5. Detail of specific audit analysis

For certain security areas of special relevance, the certification entity must perform several specific audit analyses described in this section.

5.1 Audit analysis of critical components.

The certification entity will issue an analysis on the correct identification by the operator of the critical components of the gaming technical system.

The certification entity shall include the relationship of critical components of the technical gaming system, indicating whether the safety of the technical system has been strengthened. For each component of this relationship it shall be indicated which element or software elements of the questionnaire submitted by the operator corresponds.

5.2 Change Management Audit Analysis.

The certification entity will issue an analysis on the correct conduct of the change management procedure.

The certification body shall attach, in the event of any such evidence and associated documentation of the last three changes, as to the time of this analysis, carried out by the operator.

If a software tool is available for change management, it must be indicated. The certification body must also prove that any action (high, modification or change) can be audited.

5.3 Business Continuity Management Audit Analysis and Information Loss Prevention.

The certification entity must analyze the maximum disaster recovery time, or RTO of the English "recovery time objective", which the operator indicates, and assess whether the available technical measures are sufficient for achieve this. The analysis shall describe the technical measures and the use of redundancy, backup plans, backup centres or other measures.

The certification entity must analyze the maximum time of loss of information in the event of a disaster, or RPO of the English "recovery point objective". to indicate the operator, and to assess if the technical measures available are sufficient to achieve this. The analysis shall describe the technical measures and the use of redundancy, backup plans, backup centres or other measures. The certification body shall ensure that the measures in place protect all operator data, both user and gaming data.

A disaster should be evaluated for an incident that totally inuses a physical location in the event of unforeseen contingency.

6. Description of the place, team, and completion dates of the certification

This section will describe the work equipment that has been certified, as well as the place (s) and the date (s) in which it was performed.

7. Description of the digital support that will accompany the certification report

This section will describe the content of the digital media that will accompany the certification report.

The certification report will be accompanied by a digital attachment, which will be structured as follows:

-Full certification report in digital format.

-Full security documentation used for security assessment, which will be collected within a folder with the name "Documentation".

-Evidence of the assessment of technical safety requirements. They will be grouped within a folder named "Technical Requirements".

ISO 27001 certification, in case they are provided for validation.

ANNEX V

Relationship of functionality technical requirements

The different requirements to be certified are laid down in the regulatory rules of the game: Law, Royal Decrees, Ministerial Orders and Resolutions.

Only the obligations laid down in the regulations that are directly related to the technical evaluation of equipment, software or instruments shall be the subject of certification of the technical game system.

In this section you intend to maintain a guide that collects the technical requirements of the different normative texts that must be considered for the certification of the functionality.

The requirements are grouped by area and the nomenclature to be used in the definitive functionality certification reports is included.

Areas:

General Licenses:

-Area: Responsible Game.

-Area: Contract. Acceptance, copying and modifications.

-Area: User registry and check for bans.

-Area: Play account, charges, and payments.

-Area: Limits to the depots.

-Area: Registration and Traceability.

-Area: Terminals and Session.

-Area: Communication Channels

-Area: Free gaming apps.

-Area: Internal control system.

Singular licenses:

-Area: Percentage of return and prize tables.

-Area: Random Number Generator.

-Area: Game logic.

-Area: Registration and Traceability.

-Area: Terminals and Session.

-Area: Channels of communication.

-Area: Free gaming apps.

-Area: Graphical Interface.

-Area: Behavior for technical errors.

-Area: Auto play.

-Area: Repetition of the move.

-Area: Live Games.

-Area: Multiple functionality.

-Area: Progressive botes.

-Area: Internal control system.

-Area: Game development.

-Area: Economic limits to participation.

-Area: Reporting obligations to participants.

-Area: Promotion of the games.

ANNEX VI

Minimum integration test relationship

This Annex aims at the description of the tests that must be carried out for the certification of the integration of the technical systems of the operators.

Integration testing should always be performed in the environment effectively employed by the operator for the development and exploitation of the game licensed.

In the integration tests that require personal data of residents in Spain, the certification bodies may make use of the test games that will facilitate to this effect the General Direction of Management of the Game for the production environment for the verification web services.

Tests are classified based on the license type.

The following types of tests are defined along with the minimum evidence to be collected in each of them:

a) Functional.

Functional tests will consist of evaluating external features of an application or system, using the same means that are available to a participant or management applications that are Provision of operator's staff.

As evidence must be collected at least:

• Test compliance or disconformity.

• The screen captures result of the interaction between the participant or operator of the operator performing the test and the gaming platform.

b) Traceability.

Traceability tests will consist of the analysis and contrast of the records and traces that are generated in the system when the described test is performed. The records and traces of this type of test shall be those of the information system of the central gaming unit, not the internal control system.

As evidence must be collected at least:

• Test compliance or disconformity.

• Screen captures that display the information for the record or trace object.

• The description of the information source (file, table ...) where the record or trace was obtained.

c) Actual data.

The actual data analysis will consist of verifying the correct accounting, format and integrity of the data generated by the interaction between participants and the technical gaming system.

These integration tests with real data will require the technical gaming system to have at least one month of data, which cannot be completed by testing or simulations.

As evidence must be collected at least:

• Test compliance or disconformity.

• The source (file, tables, etc.) from which the information was obtained.

• The representative data that is required for each test.

Minimum integration tests based on the type of license and sorted by areas are as follows:

A. General Licensing

A. 1 User registration and checking of prohibitions.

Reference	A. 1.1
Test Name.	User Registry High
Type.	Functional, Traceability.
Description of the test.	From the point of view of a participant, the registration of: -A participant resident in Spain, with correct identity data, age and not enrolled in the RGIAJ. -A non-resident participant. This test must be performed by all operators, regardless of whether the user registry is required for the participation in the game or for the registration of the winners
Expected Result.	The DNI/NIE, date and time at which each high was performed, will be included in the result so that the General Management of the Game Management can verify a posteriori that the verification services of the DGOJ have been consulted. In the non-resident record, the code used to identify the customer, date and time at which it was performed the tests. Functional You must validate that the user has been discharged into the system. The system must collect from the participant all the participant information fields described in the RES_TEC Attachment I paragraph 2.1.1. In the case of non-resident participant, the system must request a copy of an identifying document. Traceability the system records and traces that collect the user registry data performed. The traceability of the player signed game contract acceptance must be verified.

Reference.	A. 1.2
Name of the test.	Checking the subjective bans.
Type.	Functional, traceability
Description of the test.	From the point of view of a participant, the record of: -A participant resident in Spain that provides incorrect identity data will be performed. < Zant_table_izq">-A participant resident in Spain, with correct identity data, which is enrolled in the RGIAJ. -A participant resident in Spain, with correct identity data, less than age. -A non-resident participant in Spain, minor. The test must be performed with the operational verification services of the General Management of the Game Address
Result.	The DNI, date and time at which each discharge has been performed will be included in the result, so that the General Management of the Game Management can verify a posteriori that the verification services of the DGOJ have been queried. Functional The system should not allow registration of minor participants, enrolled in the RGIAJ or whose verification data will prove to be incorrect. Traceability Records will be analyzed and system traces that collect the user registry data.

Reference.	A. 1.3
Name of the test.	Validation of the DNI/NIE field.
Type.	Functional, Traceability.
Description of the test.	This test will verify that the internal control system has mechanisms to avoid the following scenarios: -Enter wrong values in the DNI or NIE, such as, format errors or incongruous letters with the number. -Moving to active status a user record whose DNI or NIE includes errors. -Confusing the NIE field with the DNI field and vice versa.
Result.	The system behavior must be described for each of the scenarios previously exposed, and an assessment of this.

A. 2 Play account, charges and payments.

Reference.	A. 2.1
Name of the test.	Correct logging of operations on the gaming account
Type.	Functional, traceability
Description of the test.	From the participant's point of view, deposit and withdrawal operations will be performed on the game account. It will be analyzed if other operations are available in the game account.
Result.	The DNI, date and time, and description of each operation performed, will be included in the result so that the General Address Game Management can verify a posteriori that the data correctly reaches the system internal control. Functional The correct accounting will be verified in the game account of the deposits and withdrawals. In the case of other operations available in the game account, the result will include the relationship of the same. It will be verified that there is no operation between the operations that allows to receive credit from the operator or to carry out transfers between participants. Traceability The system records and traces that collect the data from the count of deposits and withdrawals will be analyzed.

A. 3 Limits to the depots.

Reference	A. 3.1
Name of the test.	Deposit above the limits
Type.	Functional, Traceability.
Description of the test.	You will access an account that has daily, weekly, or monthly deposit limits by default. The limits will be lowered to 10, 15, and 20 euros respectively. Deposits below the limit will be made. Deposits will be made over the limit. Each limit must be tested, either daily, weekly, or monthly, using different time range combinations.
Result.	Functional. The system allows limits to be reduced. The system allows deposits below the limit and does not allow them above. Traceability. The system logs and traces that show the boundary changes will be analyzed.

Reference.	A. 3.2
Name of the test.	Deposit Limits Data.
Type.	Actual Data.
Description of the test.	They will be queried the actual system data to find out how many participants have amounts higher than the preset. In case there are participants whose limits are higher than the preset, they will be verified the necessary requests for an increase in limits have been properly carried out and evaluated. For the purposes of this test, testing a sample of 5 participants will be sufficient, if any.
Result.	The result will include the "JugadorId" identification codes of the participants analyzed, indicating the dates when they made the limits increment requests and the dates they were authorized. The system will verify that the system keeps records and traces of the requests, analyses performed and limit increment authority.

A. 4 Internet. Redirection to domain ". is".

Reference.	A. 4.1
Name of the test.	Realm address ". is"
Type.	Functional.
Description of the test.	The operator provide the certification entity with the list of domains other than ". is" where the same, its parent or its subsidiaries offer play. The certification entity will access each of the sites from a IP address associated with the Spanish territory and will verify the redirection.
Result.	Redirection will be verified domain ". is". The certification entity will list the domains different from ". is" that have been used in the test.

A. 5 Internal Control System.

Reference.	A. 5.1
Name of the test.	Integrity of RUT and CJT records.
Type.	Actual Data.
Description of the test.	In this Test data for the operator information system data shall be checked against the data of the operator's information system in order to assess the integrity of the SCI data. The following monthly data shall be obtained: < Table_table_izq"> From monthly RUT record: • Number of high. • Number of participants per state. From the CJT record monthly: • Initial save. • Deposits. • Retired. • Participation. • Return of participation. • Awards. • End Balance. • Prizes in kind. • Other moves. This test requires the certification entity to access data real in the clear. The operator must make clear the RUT and CJT files monthly to the certification entity and the certification entity must validate that they match the ones actually stored in the operator information system. < Iza_table_to_izq"> In no case is the certification entity required to know the encryption key.
Result.	For the Monthly RUT: -RUT file data will be contrasted with listings obtained from the backoffice of the game technical system. It is necessary for the certification entity to be satisfied with the veracity of these listings, since they are the source for contrasting the integrity of the actual data of the SCI. For Monthly CJT: -The data in the CJT file will be contrasted with listings obtained from the backoffice of the gaming technical system. The entity needs to be certification is made sure of the veracity of these listings, since they are the source for Contrast the integrity of the actual data in the SCI. -The initial balance of one month is verified to be equal to the final balance of the month immediately before. -The balance will be verified final equals the initial balance and the sum of the other moves. As a result of this test, the certification entity must include: -The compliance of the checks and evidence of them. NOTE: The checks and calculations shall be carried out separately, both in "EUR" currency units, and in any other unit, either bonus points or other units

Reference	A. 5.2
Name of the test.	Valid Certificate
Type.	Actual Data.
Description of the test.	In this test you verify which certificate the data is being signed with and prove that it is a valid certificate and that it has not been revoked. The certification entity is not required to know the encryption key.
Result.	The certification entity will verify with which certificate the data is being signed and will certify that is a valid certificate and has not been revoked. < Zant_table_izq"> The certification entity will indicate in the result the public part of the certificate with which the warehouse data is being signed

Executive summary model of integration tests for general licenses.

Area and Requirement	Rating
1 User Registry and checking the bans.
1.1 High user registry.
1.2 Checks on subjective bans.
	A. 1.3 Validation field DNI/NIE.
A. 2 Game account, charges, and payments.
2.1 Correct registration of operations on the gaming account.
A. 3 Limits to depots.
	A. 3.1 Depository above limits.
A. 3.2 Repository Limits Data.
A. 4 Internet. Redirect to domain ". is"
A. 4.1 Realm address ". is"
A. 5 Internal Control System.
5.1 Integrity of RUT and CJT records.
5.2 Valid certificate.

B. Unique Licenses.

B. 1. Game offer.

Reference.	B. 1.1
Name of the test.	Game Offering and Game Variants
Type.	Functional.
Description of the test.	From the player interface, will be accessed to check the game offer corresponding to the singular license. The available game offer will be analyzed from each of the different applications or terminals participation. Each of the games and variants offered will be analyzed, and correspondence will be sought with the games and variants allowed by the basic regulation. To perform this test is not required to play, but to analyze the information published by the operator, either information or rules of the games
Result.	A relationship to the following information will be indicated in the result: -the business name of the games and variants found. -the applications or terminals from which they are available. -the correspondence with the variants of the basic rule. -the version of the rules assessed. This information will be contrasted with the descriptive questionnaire of the license completed by the operator

Reference.	B. 1.2
Name of the test.	Developing the game and correct accounting.
Type.	Functional, traceability
Description of the test.	From the player interface will participate in the game, verifying: -the correct accounting of bets, prizes, commissions, or others. -en the case of games where the operator's commission exists, it must be verified that the calculation of commissions corresponds to the set of the particular rules. -an attempt will be made to participate amount higher than the balance available in the game account. In the case of certain games, it will be verified: -For bets, which cannot be placed bets at times not provided by the particular rules, and in particular after the closing of the marketing, from the start of the event for conventional bets, or from the end of the event for live bets. -For bingo, which does not allow to buy cartons outside the marketing period, or when the starting would have started. -For poker or casino, which cannot be performed bets outside of the designated time for this in the particular rules. -For machines of chance, it will be checked that when the session intended for the game of random machines automatically finishes for reaching the default time or the amount set when configuring that session, the current item ends in order, and the accounting is correct. Note: This test will be repeated for each of the different participation applications or terminals, and for each of the games, variants or modes.
Result.	Functional The compliance of the verifications described above, broken down for each variant analyzed. It will be verified that it is not possible to participate in amount higher than the balance available in the game account. The version of the particular rules will also be indicated. Traceability. The results will describe the tables, files, or others that contain the information. A judgment will be issued on whether the system of registration of the game technical system allows information to be retrieved to explain each of the situations, as well as to fully reconstruct the events in each of the games.

Reference	B. 1.3
Name of the test	Trazing the participation for different channels to the internet
Type	Traceability
Description	In the event that they exist, multiple participations will be made for each of the different channels of the internet, for example, SMS and telephone
Result	Traceability The system records and traces of each of the participation channels used will be analyzed, verifying that in the case of SMS and telephone the system preserve detail of: -date/time of each message or call performed. -the telephone number that originated the message or call. -message or call content

B. 2. Limits to participation.

Reference.	B. 2.1
Name of the test.	Limits to participation
Type.	Functional.
Description of the test.	It will be verified that the system is in accordance with the economic limits: maximum amounts of participation and prize. For this the certification entity will participate in the game attempting to exceed each of the limits described in the (a) list of the following: (a) a list of the following: (a) a system (s); (ii) the system (s); (ii the system (s); (ii) the system (s); the economic limit as well as the time limit. Also, it will be verified that the amount of money that a participant can dedicate to the participation in the machine of chance cannot exceed the amount of the balance that the participant has in his/her game account at the time the session for the gaming of machines of chance of the machines of chance, increased in the amount of prizes obtained in that session
Result.	You will be aware of the tests performed and the result obtained.

B. 3. Behavior for technical errors.

Reference.	B. 3.1
Name of the test.	Loss of communication with the client
Type.	Functional.
Description of the test.	perform tests to start a game and cause the loss of communication with the central games unit. The connection will be reset to 1 minute, 5 minutes or 15 minutes (different intervals of time). The system reaction will be verified to complete the departure and its compliance with what is described in the particular rules. This test must be performed for each of the terminals, applications, or clients, and each of the offered games or modes.
Result.	The compliance with the particular rules will be indicated. The resulting behavior will be indicated for each terminal, application, or client, and for each game or mode. will also include the particular rules version analyzed.

Reference.	B. 3.2
Name of the test.	Client error
Type.	Functional.
Description of the test.	A game will start and be started will cause the unexpected shutdown of the client terminal. The terminal will be started again at 1 minute, 5 minutes, or 15 minutes (different time intervals). The system reaction to end the departure, and its compliance with what is described in the particular rules. This test must be performed for each of the terminals, applications, or clients, and each of the offered games or modes.
Result.	The compliance with the particular rules will be indicated. The resulting behavior will be indicated for each terminal, application, or client, and for each game or mode. The version of the particular rules analyzed will also be included.

B. 4. Internal control system.

Reference.	B. 4.1
Name of the test.	Integrity of OPT/ORT records.
Type.	Actual Data.
Description of the test.	In this Test data for the operator information system data shall be checked against the data of the operator's information system in order to assess the integrity of the SCI data. The following monthly data shall be obtained: < Izq_table_body"> From the monthly OPT/ORT record: • Participation. • Return of participation. • Awards. • Prizes in kind. This test requires that the certification entity access real data in the clear. The operator must make clear the OPT/ORT files to the certification body and the certification body must validate that they match those actually stored in the operator's information system. The certification entity is not required to have access to personal data. In no case is the certification entity required to know the encryption key
Expected Result.	The data in the OPT/ORT files with listings obtained from the backoffice of the game technical system will be checked. The certification entity needs to be satisfied with the veracity of these listings, since they are the source for contrasting the integrity of the actual data of the SCI. As a result of this test, the entity of certification must include: -The compliance of the checks performed. -The following OPT/ORT data, calculated from the monthly data, for each month: The quotient between the prize amount and the participation amount (expressed with 4 decimal places). Note: No billing figures will be included in the result directly. Note: Checks and calculations will be performed separately, both in monetary units "EUR", as in any other unit, either bonus points or others.

Reference.	B. 4.2
Name of the test.	Integrity of the JUD/JUT records.
Type.	Actual Data.
Description of the test.	In this Test data for the operator information system data shall be checked against the data in the operator's information system, in order to assess the integrity of the SCI data. The following 5-day daily data shall be obtained prior to testing: From JUT/JUD records: • Number of items in each mode • A random sample of 5 will be taken items and their data will be contrasted with the operator's information system. For example, the participants, the prizes, the event in the case of a bet or the number of SMS's in the case of a contest. This test requires that the certification entity access real data in clear. The operator must make clear the JUT/JUD files to the certification body and the certification body must validate that they match those actually stored in the operator's information system. The certification entity is not required to have access to personal data. In no case is the certification entity required to know the encryption key
Expected Result.	The data in the JUT/JUD files with listings obtained from the backoffice of the game technical system will be checked. The certification entity needs to be satisfied with the veracity of these listings, since they are the source for contrasting the integrity of the actual data of the SCI. As a result of this test, the entity of certification must include: -Conformity of checks performed. Note: No billing figures will be included in the result directly. < Table_table_izq"> Note: Checks and calculations will be performed separately, both in units "EUR" currency, as in any other unit, either bonus points or others.

Executive Summary Model of predefined tests for singular licenses

Area and Requirement	Rating
1 Game Offering ..
1.1 Play offer and game variants.
B. 1.2 Play development and correct accounting.
	B. 1.6 Traza of participation for different channels to the internet.
B. 2 Economic Limits to Participation.
2.1 Economic Limits to Participation.
B. 3 Behavior before technical errors.
3.1 Loss of communication with the client.
3.2 Client error.
4 Internal control system.
	4.1 Records Integrity OPT/ORT.
4.2 Integrity of JUT/JUD records.

ANNEX VII

Relationship of security technical requirements

This Annex aims to establish the relation of the requirements which, in accordance with the provisions of the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, by which the provision is approved developing the technical specifications for the game, traceability and security to be complied with by the non-reserved technical game systems subject to licences granted under Law 13/2011, of 27 May, of regulation of the game, they must be met by the technical systems of the operators of the game and that they must be verified by the certification entities in their final certification reports.

The areas to be verified by the certification bodies and the order in which they are to be presented in the relevant report is the following:

a) Security Policy.

In accordance with paragraph 4.4 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. The operator has security procedures.

2. The security procedures have been communicated to all of its employees and, where appropriate, to the collaborating entities.

Those organisations which have obtained the ISO 27001 certification in force may comply with requirements 1 and 2. In the comments section "ISO 27001" shall be indicated.

b) Analysis and Risk Management.

In accordance with paragraphs 4.1, 4.2 and 4.3 of the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. The operator has a risk management and analysis plan.

2. A periodic review of the risk analysis is performed.

3. The organization has identified critical components of the Technical Gaming System.

4. Critical components are included in the relationship:

a) The user registry.

b) The game account.

c) Processing of the means of payment.

d) In the random number generator: the components of the technical game system that transmit or process random numbers that will be the object of the results of the games and the integration of the results of the generator random numbers in the logic of the game.

e) Those components that store, manipulate, or transmit sensitive customer information such as personal data, authentication, etc.

f) Those components that store the point-in-time status of the games. g) The connections with the General Management of the Game.

h) The internal control system: the capture and the storeroom.

i) Access points and communications to and from previous critical components.

j) Communication networks that transmit sensitive participant information.

5. The operator has enhanced security for all critical components.

In relation to requirements 4 and 5, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established.

c) Organization of Information Security.

In accordance with paragraph 4.5 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of May 27, of regulation of the game, the certification body must verify that the organization has defined a management framework for the security of the information, indicating the duties and responsibility of your staff.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

d) Security in communicating with participants.

In accordance with paragraphs 2.1.12 and 4.6 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of the specifications Game, traceability and security techniques that must be met by the non-reserved technical gaming systems subject to licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification body must verifying that:

1. The operator has adopted authentication mechanisms that allow the gaming system to identify the participant, and which in turn allows the participant to identify the gaming system.

2. Communications are encrypted in cases of personal data transmission (user registration) or economic (game account).

3. In relation to communications, the operator has taken the necessary measures to ensure the integrity and the non-repudiation in the cases of the transmission of personal or economic data, and in the transactions of participation in the game.

4. An initial user password is set, by default or by the participant.

5. During the process of defining the user password, the participant is informed about good practices in choosing secure passwords

6. The minimum password length is 8 characters or digits, and includes at least three of the following groups: numbers, lowercase letters, uppercase letters, and other symbols.

7. The password cannot contain any of the following data: the user's name, the pseudonym, the name or last name, or the date of birth of the participant.

8. A password change reminder is offered to the user at a minimum annual frequency, although it is not mandatory for the user to make the change.

9. The user and password identification mechanism is blocked if more than 5 failed access attempts occur on the same day. The operator can set a lower limit to this requirement.

10. The operator system is designed to require participant authentication before each user login, and in the case of password use, the introduction of the password. The system does not use cookies or other mechanisms to prevent user authentication or password introduction.

11. The operator has a procedure to detect inactive accounts for a reasonably long time and requires a level of authentication higher than normal or additional verifications through customer service, Before allowing the resumption of the play activity, especially the withdrawals.

12. The operator has a procedure to detect within reasonable unauthorized access to the participants ' account, attempts to impersonation or access their personal data.

13. The operator shall have a procedure for detecting sudden changes in the behaviour of a participant, and in particular of the amount of deposits or withdrawals, and shall initiate any action to prevent the gambling account being accessed by a third party.

In relation to the above requirements, the certification body, in the field of observations, shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

e) Security of human and third-party resources.

In accordance with paragraph 4.7 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. The operator has a Personnel Security plan.

2. The plan includes training actions for all employees of the organization, paying particular attention to access to critical information and component permits.

3. In cases where the operator requires third party services involving access, processing, communication or processing of the information, or access to facilities, products or services related to the game, these third parties must meet all of the security requirements for the rest of the staff.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

f) Physical and environmental security.

In accordance with paragraph 4.8 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. There is a physical security plan for the game technical system components.

2. Perimeter security for areas containing critical components and sensitive information is defined.

3. There is a physical access control to the facilities in which the equipment is located, both for employees and for external personnel, and that this control includes physical elements, authorization procedures, access records and services surveillance.

4. Protection against environmental risks: water, fire, caused by people, etc.

5. Critical equipment is protected from power outages and other outages caused by failure in support installations and electrical wiring is protected from damage.

6. Communications cabling access control mechanisms are defined if you are transporting unencrypted critical information.

7. Adequate maintenance of facilities and equipment is provided and planned.

8. Devices that contain information are securely deleted or destroyed before they are reused or removed.

9. Equipment containing information cannot be moved out of secure facilities without the appropriate authorization.

In relation to requirements 2, 3, 4, 5, 7, 8, 9 above, the certification body, in the field of observations, shall record the documentary references as well as the epigraps within those in which the compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

g) Communications and Operations Management.

In accordance with paragraph 4.9 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications for the game, traceability and security that must be met by the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. Critical components are monitored to prevent different versions of the type-approval from being used.

2. Communication between the components of the technical gaming systems ensures integrity and confidentiality.

3. Tasks are segregated between different areas of responsibility, to minimize the possibility of unauthorized access and potential damage.

4. Development, testing, and production tasks have been separated.

5. Services provided by third parties include security controls and metrics on contracts and are periodically audited and monitored.

6. Malicious code protection measures have been adopted.

7. Backups are regularly made with the appropriate frequency and kept guarded as collected in the backup plan.

8. Security measures have been adopted in the communications network.

9. Safety measures have been taken in the handling of portable media as well as safe erasure or destruction of the portable media and which is plasma in a documented procedure.

10. The clocks of all components, especially of the critics, are synchronized with a reliable source of time and the operator has established measures and controls to prevent the manipulation of the time marks or their subsequent alteration, especially in audit records.

11. All users ' activity audit log, exceptions, and information security events are generated and saved for a minimum period of 2 years.

12. Audit records are protected against alteration and improper access.

13. The System Administrator and System Operator activities are being registered.

14. Periodic analysis of audit records is performed and actions are taken based on detected incidents.

In relation to requirements 2, 4, 5, 6, 7, 8, 9,10, 11, 12, 13 and 14, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which it is notes compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

h) Access Control.

In accordance with paragraph 4.10 of the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of the technical specifications for the game, Traceability and security to be complied with by the non-reserved technical gaming systems subject to licences granted under Law 13/2011, of 27 May, of regulation of the game, the certification body shall verify that:

1. The information access policy is documented.

2. Authorized access is secured and unauthorized by user-high controls, access privilege management, periodic review of access privileges, and password management policy.

3. Users follow best practices in using passwords and properly protect the documentation and media in their workplace.

4. Users only have access to the services they have been authorized to use.

5. There are no generic users and all users access their own unique user.

6. The system authenticates all access, whether personal, maintenance or other, from other systems and components. The inspection personnel of the General Management of Game Management or other personnel acting on their behalf shall also be authenticated.

7. Networks are segregated based on the area and responsibility of the task or function.

8. Access to operating systems requires a secure authentication mechanism.

9. The use of programs to prevent access and security controls is restricted and controlled.

10. Sessions have a maximum connection duration time and a disconnect time for inactivity.

11. IT support staff have restricted access to real application data. The sensitive real data is located in isolated environments.

12. The risks associated with mobile devices are managed.

13. If teleworking exists, the associated risk is found to be managed within the security plan framework.

In relation to requirements 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which it is established. compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

i) Purchase, development, and maintenance of systems.

In accordance with paragraph 4.11 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications Game, traceability and security that must comply with the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify that there is a security plan in the decision-making to purchase, develop and maintain the information systems.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate that 'ISO 27001'.

j) Managing security incidents.

In accordance with paragraph 4.12 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications Game, traceability and security that must comply with the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. There is a documented security incident management procedure.

2. There is a security incident record (with facts, impacts, and measures taken).

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

k) Change management.

In accordance with paragraph 4.13 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications the game, traceability and security that must be met by the non-reserved technical gaming systems subject to licenses granted under Law 13/2011, of 27 May, of regulation of the game, and to the provisions of Article 10 of the This Disposition, the certification entity shall verify that:

1. There is a procedure for managing changes in equipment and components of the game technical system in the production environment.

2. There is an internal approval process for changes (change request, decision-makers ' approval).

3. A change log (requests, decisions adopted) is preserved and can be audited later.

4. In the case of changes in critical components, it shall be assessed whether this is a substantial change.

5. Copies of the software items ' binaries will be preserved for all software versions that have been used in the technical system effectively employed.

The General Management of Game Management may establish the obligation that the procedure for the preservation of the copies of the binaries include a fingerprint of the binaries.

In relation to requirements 1, 2, 3, 4 and 5 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which the compliance with the requirements is established. those requirements.

l) Information loss prevention plan.

In accordance with paragraph 4.15 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications Game, traceability and security that must comply with the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. There is a plan for the prevention of data loss or transactions affecting the development of the games, the rights of the participants or the public interest.

2. There is a plan of measures to comply with the information loss prevention plan and will include the following:

a) Location where copies of the information will be kept.

b) Backup protection measures against unauthorized access.

3. There is an action procedure in case of loss of information which will include the following:

a) Claims care mechanisms.

b) Continuation mechanisms for interrupted games.

In relation to the requirements 1, 2 and 3 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

m) Business continuity management.

In accordance with paragraphs 4.14 and 4.16 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of the specifications Game, traceability and security techniques that must be met by the non-reserved technical gaming systems subject to licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification body must verifying that:

1. There is a business continuity management for disasters that will include the following:

a) Technical, human and organizational measures required to ensure continuity of service.

b) Replica of the Central Games Unit that allows the normal development of the activity.

2. The continuity plan considers the following scenarios:

a) User registration and game account, with the possibility of consulting the balance and the movements of their associated game accounts. The maximum time to provide these services again will be one week.

b) Withdrawal of funds. The maximum time to provide these services again will be one week.

c) Continuation of incomplete games or pending bets and payment of the prizes validly achieved. The maximum time to provide these services again will be one month.

d) Full Reset of all services.

3. The following information is included in all scenarios:

a) Services retrieved.

b) Maximum recovery time.

In relation to the requirements 1, 2 and 3 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate that 'ISO 27001'.

n) Penetration and vulnerability analysis.

In accordance with paragraph 4.17 of Annex I to the Resolution of 6 October 2014, of the Directorate-General for the Management of the Game, approving the provision for the development of technical specifications Game, traceability and security that must comply with the technical systems of non-reserved character set of licenses granted under the law 13/2011, of 27 May, of regulation of the game, the certification entity must verify which:

1. In the last year the gaming technical system has passed a penetration test and vulnerability analysis.

2. There is an analysis plan, at least annually, of vulnerabilities.

In relation to the above requirement 1, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those references is established. requirements.