The MGA's revised Critical Supplier guidelines (effective Q2 2026) introduce three new documentation categories: business-continuity testing evidence, sub-processor concentration risk and an explicit AI / model-governance disclosure for any supplier deploying ML in player-protection or fraud workflows.
Business-continuity testing now requires documented quarterly tabletop exercises with named participants and signed minutes, plus an annual full-failover drill measured against the operator's SLA. This is the most operationally heavy of the three changes — most suppliers we know are already running quarterly tabletops, but the MGA is now requiring the audit trail to look like the trail an MGA auditor would assemble.
Sub-processor concentration risk is a disclosure exercise: any sub-processor handling more than 25% of platform-bound traffic must be named, and the operator must hold a documented mitigation plan. This is largely a documentation pass for suppliers already running on diversified infrastructure.
The AI / model-governance disclosure is the single biggest unknown. The MGA hasn't published a final template, but the draft asks for the data-flow, the training data origin, the bias-testing methodology and the human-in-the-loop intervention path. Suppliers running anti-fraud or responsible-gaming ML models should expect to map their model docs into the new template.