THE GLOBAL GAMBLING INDUSTRY IS STILL DEALING WITH ONE FUNDAMENTAL PROBLEM: TOO MANY RULES, NOT ENOUGH CONSISTENCY.
In recent years, regulators have made steady progress in areas like responsible gambling and player protection, especially in Europe.
But ask Mark Pace, president of the International Gaming Standards Association (IGSA), and he’ll tell you the global gambling industry is still dealing with one fundamental problem: too many rules, not enough consistency.
Pace thinks the industry is spending far too much time trying to make sense of regulatory frameworks that differ from one country to the next. For operators working across borders, that means constant readjustments, new compliance hurdles, and a system that feels more reactive than strategic. His solution? Push for widespread standardisation—not across everything, but enough to eliminate the constant reinvention of the wheel.
“If we can align on 85 to 90 percent of technical requirements, that would change the game,” says Pace. “That last 10 percent will always be local. But we’re losing a lot of time and energy handling things that could easily be unified.”
The IGSA was formed in 1998 to help create common ground between gambling suppliers, operators, and regulators. The group includes heavyweights like IGT, Merkur, and Novomatic. Through the years, it’s published best practices for everything from game logic to reporting systems. What Pace wants now is for more regulators to lean into those standards and make them the default starting point.
It’s not just about efficiency—it’s about protection. Cybersecurity, for example, has become a key pressure point for the entire industry. The high-profile cyberattack on MGM Resorts in 2023 left systems offline and reportedly cost the company up to $100 million. Other operators haven’t been as public about breaches, but they’re happening. Player data has shown up on the dark web. Ransomware hits are becoming more sophisticated. And Pace doesn’t think the industry is doing nearly enough to stay ahead of these risks.
“One of the biggest problems is that many markets don’t even require proper cybersecurity audits,” he says. “And when they do, it’s often basic stuff—penetration tests and surface-level checks. That’s not good enough anymore.”
According to Pace, cybersecurity can’t just be about monitoring networks or running simulations. It starts way earlier—at the chip level. He warns that if companies aren’t vetting hardware manufacturers or the facilities installing components onto boards, they’re leaving massive openings in their infrastructure.
In the past, attackers have exploited those weak points, modifying chips before they even reached casino floors. It’s not science fiction—it’s supply chain manipulation, and it’s been done in other sectors, from finance to defense.
“We keep focusing on the endpoint, but look at the whole chain. Where are your chips coming from? Who tested them? Who installed them?” he says.
Ireland’s new gambling regulator has already taken steps to mandate stronger tech controls, including customer data protections and system integrity requirements. But according to Pace, more countries need to treat cybersecurity as a baseline—not an afterthought.
The IGSA’s cyber resiliency committee is currently developing a set of best practices aimed at giving regulators and operators a clearer view of what real cyber preparedness looks like. That includes policies around device usage, data onboarding, and incident response planning—not just locking the doors after someone’s broken in.
Even with better preparation, there’s no perfect shield. Threat actors will always try to find the softest entry point.
“You can’t stop everything,” Pace admits. “But you can raise the bar so high that it’s not worth their effort.”
Another issue he sees? Silence. Companies often keep attacks under wraps until the damage is long done. That lack of transparency gives attackers the upper hand. While bad actors trade stolen credentials in underground forums, legitimate companies hesitate to share what happened—or how they were breached.
“The good guys need to talk more,” he says. “If someone gets hacked, others need to know how, so they can plug that hole before it’s exploited again.”
Alongside cybersecurity, the IGSA is also moving to tackle AI regulation. A new committee is drafting ethical guidelines for how artificial intelligence should be used in gambling systems. But instead of dissecting how algorithms are written, Pace wants regulators to focus on the data fed into them.
“The real question is, what’s the input?” he explains. “Is it clean? Is it biased? Are you even sure it’s accurate?”
He argues that regulators shouldn’t be trying to reverse-engineer neural networks—they should be defining what data gets used, how it’s monitored, and what checks are in place to ensure fairness.
That AI working group expects to release eight guidelines later this year, covering issues like bias detection, model transparency, and data governance.
It all ties back to the same idea: the sector’s foundation needs to be stronger. Whether it’s about cyber threats, data handling, or regulatory frameworks, IGSA’s message is clear—do the hard work now to avoid the bigger problems later.
As Pace puts it, “We’re never going to have total harmony. But we can absolutely stop the chaos.”
