The Online Casino Gambling (Minimum Standards) 2026 (Minimum Standards) came into force on 8 July 2026, completing the primary regulatory architecture for New Zealand's new online casino gambling regime. The Minimum Standards sit alongside the Online Casino Gambling Regulations 2026 (Regulations) and set the technical floor that every licensed operator's platform must meet from day one.
For operators preparing expressions of interest (EOI) ahead of the process opening on 17 July, and for those planning their licence application, the Minimum Standards are not a future compliance concern – they define what your platform must actually do. This alert walks through the key requirements and what they mean in practice.
What the Minimum Standards cover
The Minimum Standards are organised across three parts:
- Part 1, Harm Prevention and Minimisation (standards 5–10): Measures and features including limit setting, breaks-in-play, time-outs, pop-up alerts, self-exclusion, customer support, progressive jackpot systems, and game design.
- Part 2, Consumer Protection (standards 11–16): Key consumer protection requirements like identity verification, customer location, informed decision making, random number generators, live dealer operations, and peer-to-peer game controls.
- Part 3, Information Security and Access (standards 17–19): Platform security and access controls including ISO/IEC 27001:2022 controls, payment card industry data security standard payment compliance, and hosting restrictions.
The table below sets out each of the 15 standards across Parts 1, 2, and 3 of the Minimum Standards, together with a high-level summary of what each standard requires and our practical commentary on the key compliance implications for operators.
| Standard | High-level summary | Practical comment |
| Part 1: Harm Prevention | ||
| Limit setting (standard 5) | Time, deposit, and spend limits must be easy to access at any time (including on deposit pages) and configurable by free text entry. Where simultaneous limits apply, the lower limit governs. Once a limit is set, the platform must wait at least 24 hours before permitting any increase or removal. | The 24-hour cooling-off applies at the platform-system level and cannot be managed by policy or manual override. Operators must hard-code this delay into their limit-management architecture. This mirrors the pervasive 24-hour rule flagged in the earlier alert covering the Act and Regulations. |
| Breaks-in-play, time-outs, and pop-up alerts (standard 6) | These tools must be easy to access at any time after account opening. The 24-hour cooling-off applies equally: the platform must wait at least 24 hours before allowing a customer to remove a break-in-play or time-out, increase the time between pop-up alerts, shorten a time-out, or make a break-in-play shorter or less frequent. | The 24-hour system-level rule applies in the same way as for limit setting (standard 5). |
Self-exclusion (standard 7) | The platform must maintain a live register of self-excluded customers. Account activation and each login must be checked against the register, and any customer on it must be prevented from accessing online casino gambling on the platform. | The check must occur at both account activation and every subsequent login – a one-time check at registration is not sufficient. Operators should confirm their identity and session management systems can perform this check in real time at login without adding latency that affects the user experience. |
Customer support (standard 8) | Live customer support must be accessible at all times, actively monitored, and capable of responding in real time. This is a 24/7 requirement. | Operators should ensure their support infrastructure is genuinely staffed and monitored around the clock, not merely available in form. |
Progressive jackpots (standard 9) | Jackpot rules must be clearly accessible within the game and must explain funding, seed and ceiling values, prize determination, and contribution management once a ceiling is reached. All customers must be able to view the current jackpot value or values, and they must be updated as frequently as practicable. Where a jackpot pool containing customer contributions is decommissioned, those contributions must be returned fairly with priority given to contributing customers. Where a customer wins a jackpot, they must be notified of their win immediately after it is triggered, with other eligible customers being adequately notified of the jackpot reset value and its new value. | Where an operator licenses a network jackpot product from a third-party supplier, the decommissioning obligation still falls on the operator as licence holder. Operators should review their network jackpot agreements to confirm they have contractual rights to require the supplier to return customer contributions, and access to the contribution data needed to do so. |
Game design (standard 10) | Key requirements: (1) Minimum 2.5-second inter-round interval across all game types, not by-passable by autoplay. (2) Each game round requires a separate, deliberate customer action – continuous contact cannot initiate a new round. (3) No simultaneous multi-slot play. (4) Customers must always be able to track time; platforms using full-screen applications that obscure the device clock must display the time of day or elapsed time. (5) Games using pre-determined prize patterns must not change winning positions during play except as provided in the game rules. (6) Where a paid game has different odds/return to player to an equivalent free-to-play game on the gambling platform, this must be clearly communicated to all customers before they place a bet, pay, or stake consideration on the paid game. | The 2.5-second inter-round rule and the prohibition on auto-initiating rounds will likely require configuration changes for most offshore platforms. Operators should carry out a gap analysis against their current platform settings before lodging an EOI. |
| Part 2: Consumer protection | ||
Identity verification (standard 11) | All customer accounts must be uniquely identifiable. Customers must authenticate with at least a unique identifier and password at each login, with multi factor authentication (MFA) available for sensitive activities (login, registering new payment methods, resetting passwords). Automatic logout after inactivity is required, not exceeding 30 minutes. | MFA must be offered but is not mandated for all logins. However, it must be available for sensitive activities – operators should consider whether making MFA mandatory for withdrawals and payment method changes is appropriate from a consumer protection perspective. |
Customer location (standard 12) | The platform must only be available to persons located in New Zealand. It must have mechanisms to detect customer location and block access where NZ location cannot be verified. Operators must take reasonable steps to identify and mitigate the use of VPNs, proxies, or similar circumvention technologies. | The standard does not mandate a specific technical approach, but the “reasonable steps” obligation to detect VPN use will require dedicated VPN-detection tooling rather than reliance solely on IP geolocation. Operators should document their methodology as it will likely be relevant to DIA compliance assessments. |
Informed decision making (standard 13) | Games must display the customer's net position (total winnings minus total losses) since the game started. Game rules, odds, and return to player (as a percentage) must be easy to access at all times. On service interruption, the platform must recover in a timely fashion, void bets where appropriate, and pay the customer the amount won up to that point or return their bet – whichever is better for the customer. | The customer-favourable settlement rule on service interruption is an express minimum standard. Operators' existing business continuity and fault-handling protocols should be reviewed against this requirement, particularly for live dealer games where determining the “amount won up to that point” may not be straightforward. |
Random number generators (RNG) (standard 14) | RNG must be “acceptably random” – demonstrable to a high degree of confidence through statistical analysis using generally accepted tests. Adaptive or compensated games are expressly prohibited. pseudo-RNGs must be cryptographically secure and must satisfy requirements for uniform distribution, unpredictability, non-cyclical output, robust seeding, and continuous integrity monitoring. Where an anomaly is detected, the affected game must be immediately deactivated. | Operators using third-party game content should obtain certification evidence from game suppliers demonstrating compliance with the RNG requirements. Where certification is to a different standard (e.g. UKGC or Malta Gaming Authority), operators will need to assess whether that certification is sufficient or whether additional testing is required. |
Live dealer operations (standard 15) | Equipment used in live dealer operations must be of commercial casino quality meeting the standards under the Gambling Act 2003 or equivalent overseas legislation. Secure areas must be access-controlled with privileges based on employment status and job requirements, and all access activity related to granting, modifying and revoking access privileges, must be logged. Video surveillance of all dealer activity is required. | For offshore live dealer studios, the reference to “overseas legislation equivalent to the Gambling Act 2003” will need careful assessment. Operators should document which jurisdiction's standards apply to their studio and be prepared to demonstrate equivalence to DIA. |
Peer-to-peer games (standard 16) | For peer-to-peer casino games, the platform must be capable of identifying prohibited customer behaviour, must prevent a player from playing against themselves or occupying more than one seat at a table, and must retain records to facilitate investigation and be capable of suspending or disabling accounts or sessions. | Operators should ensure their peer-to-peer game architecture has real-time seat and identity controls, and that session records are retained in a format that supports DIA investigation requests. |
| Part 3: Information security | ||
ISO/IEC 27001:2022 controls (standard 17) | Operators must comply with a specified subset of controls from Annex A of ISO 27001:2022, covering organisational, people, physical, and technological control categories, including threat intelligence, access control, identity management, supplier security, incident management, business continuity, cryptography, secure development, and change management. | Formal ISO 27001 certification is not required, but compliance with the specified controls must be evidenced. Operators with existing certification should map their scope against the specific controls in standard 17 to identify gaps. Operators without certification should begin a gap analysis immediately – implementing the required controls is likely to take a number of months in practice. |
Payment systems (standard 18) | Payment service providers processing transactions must be compliant with PCI DSS v4.0.1 (2024). This obligation falls on the payment service provider (PSP), but operators should confirm PCI DSS compliance in their PSP agreements and conduct appropriate due diligence. | Operators should build PCI DSS v4.0.1 compliance confirmation into their PSP contracting and ongoing supplier review processes. |
Hosting (standard 19) | Technology infrastructure must not be hosted, stored, processed, or transmit customer data in any jurisdiction where doing so would be likely to prejudice New Zealand's international reputation in relation to trade or the maintenance of the law. | The restriction does not specify a list of prohibited jurisdictions and will require case-by-case assessment. Operators using multi-region cloud infrastructure should map their data flows and identify any data centre locations in jurisdictions that may raise concerns. This assessment will need to be revisited as geopolitical and regulatory conditions change. |
What this means for EOI applicants
The EOI process opens on 17 July 2026. While the EOI does not require a platform to be live, the Minimum Standards define the technical baseline that platforms must meet by the time a licence is granted and licence holders’ 90-day launch window begins. Applicants should use the period between EOI lodgement and any subsequent licence grant to:
- Conduct a gap analysis: If already operating a platform, assess your current platform against each of the 19 standards to identify any gaps or non-compliance.
- Consider your harm minimisation strategy: The harm prevention and minimisation obligations in Part 1 are not merely platform features; they are central to consumer protection and harm prevention strategies, which are key components of the stage three licence application.
- Review/consider third-party arrangements: Game suppliers, jackpot network providers, and payment service providers will each need to demonstrate compliance with relevant standards. Build Minimum Standards compliance obligations into your supplier agreements.
- Prepare technical documentation: DIA will assess platform suitability as part of the licence application. Operators should begin compiling the documentation (including test reports, ISO 27001 gap analyses, and VPN-detection methodology) that will support that assessment.
Our team has been closely tracking the development of this regime since the Act was introduced. We have an Obligations Summary mapping key licence holder obligations across the Act and now the Minimum Standards.
Get in touch
If you are considering entering the New Zealand online casino gambling market or have questions about the Minimum Standards or the EOI process, please get in touch with our team.