Compliance Requirements for iGaming: A Practical Guide for EU Operators

If you run an iGaming business in the EU, or you are considering entering the European market, you already know that compliance is not a one-time project. It is the operating condition. Every license renewal, every player onboarding, every payment processed and every transaction flagged is part of a continuous compliance conversation with regulators who are moving faster than ever.

And they are moving fast. 2025 has been described by industry observers as a record year for gambling reforms across Europe, with major markets introducing new player protection rules, tighter AML requirements, and stricter licensing conditions almost simultaneously. Meanwhile, the EU's new AML package, which includes the Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) and the Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640), is reshaping what compliance looks like at a foundational level across all obliged entities, including iGaming operators.

This guide is written for compliance professionals, legal teams, and operators who need a clear, honest, and current picture of what iGaming compliance requires in the EU right now, and what is coming by 2027.

Why iGaming Compliance in the EU Is Uniquely Complex

The honest answer to why iGaming compliance is hard in Europe is that there is no single European iGaming law. The EU does not have a unified gambling directive in the way it has unified data protection law under GDPR or AML law under the AMLR. Instead, each member state retains full authority to regulate gambling within its own jurisdiction, meaning that a business operating in five EU markets is effectively managing five separate regulatory relationships simultaneously.

What the EU does control are the cross-cutting frameworks that apply to iGaming regardless of where the license is held. GDPR governs how player data is collected, stored, and processed. The AML directives have historically set the framework for KYC, transaction monitoring, and suspicious activity reporting. The Digital Services Act is increasingly relevant to how operators manage advertising and harmful content online. These EU-level frameworks apply in full even when a national gambling law is more permissive.

The result is a compliance environment with two distinct layers. The first layer is EU-wide obligations that cannot be negotiated away by obtaining a favorable local license. The second layer is jurisdiction-specific requirements that vary so significantly that a campaign structure, a bonus offer, or a payment method that is perfectly legal in Malta may expose an operator to regulatory action in Germany or the Netherlands.

The EU AML Framework and What It Means for iGaming

AML compliance has always been central to iGaming. The sector processes large volumes of financial transactions, involves anonymous or pseudonymous digital interactions, and attracts a small but significant proportion of actors seeking to launder proceeds of crime. Regulators have known this for decades, which is why iGaming operators have been classified as obliged entities under EU AML directives since the fourth directive came into force.

What is changing now is the architecture of the framework itself.

In May 2024, the EU adopted a new AML package consisting of three instruments. The AMLR (Regulation (EU) 2024/1624) is a directly applicable regulation that will function as a single rulebook for all obliged entities across the EU, eliminating the inconsistencies that arose from national transpositions of previous directives. The AMLD6 (Directive (EU) 2024/1640) sets the supervisory and enforcement structures that member states must implement at national level. And the AMLA Regulation (Regulation (EU) 2024/1620) establishes the new European Anti-Money Laundering Authority (AMLA), which became operational on 1 July 2025 and is headquartered in Frankfurt.

The AMLR and AMLD6 apply fully from 10 July 2027. This means compliance teams have a defined window to prepare, but it is shorter than it looks. AMLA is required to publish 23 sets of regulatory and implementing technical standards, most of them due by July 2026, which means 2026 is effectively the year operators need to be running gap analyses and redesigning processes, not watching and waiting.

For iGaming operators specifically, the key changes in the new framework include the following.

Customer Due Diligence (CDD) requirements are being harmonised across all 27 member states through the AMLR. Previously, operators in different countries faced slightly different national implementations of the same directive. From 2027, the obligations will be identical regardless of where the operator is licensed, and simplified CDD will only be available where risk assessments genuinely justify it.

The beneficial ownership threshold, which previously required disclosure at 25% or above, is being brought into line with a harmonised EU-wide definition. More significantly, for high-risk sectors, the European Commission may lower the threshold to 15%, which would affect how iGaming operators conduct KYB checks on corporate clients and B2B partners.

Perpetual KYC (pKYC) is introduced under the AMLA framework. Customer information for high-risk individuals must be updated at intervals not exceeding one year. For lower-risk relationships, the maximum interval is five years. This is a significant operational commitment for platforms with large player bases.

Crypto-asset service providers (CASPs), which now include platforms that accept cryptocurrency for gaming, are explicitly brought within the full AML scope under the AMLR. The Travel Rule, which requires full traceability of crypto-asset transfers including sender identity, recipient identity, and transaction amount, already applies. iGaming platforms that accept crypto payments must ensure their technical infrastructure can meet these obligations now, not in 2027.

Licensing: The Foundation Everything Else Rests On

Before an EU iGaming operator can discuss AML compliance, responsible gambling tools, or GDPR policies, they need a license. And in Europe, licensing is emphatically national.

There is no EU-wide iGaming license. Obtaining a license from the Malta Gaming Authority (MGA) does not automatically authorize you to accept players in Germany, France, or the Netherlands. Some countries recognize MGA licenses as evidence of operational competence and use them to streamline local applications, but this recognition is not universal and does not override national law.

The major EU licensing jurisdictions each have distinct characteristics. Here is a factual overview of the most significant ones.

Malta (MGA)

The Malta Gaming Authority is the most internationally recognized EU gaming regulator and one of the largest by number of licensed operators. Malta was the first EU member state to specifically regulate online gaming. The MGA issues B2C and B2B licenses covering four game types: games of chance played against the house (Type 1, including casino games); fixed-odds betting (Type 2); peer-to-peer games and pool betting (Type 3); and controlled skill games (Type 4). The licensing process includes a fit-and-proper check, a detailed business plan review, a system and compliance audit, and a 60-day live testing period in a controlled environment. Initial application fees range between €5,000 and €25,000, with ongoing compliance contributions thereafter. New operators qualify for a moratorium period of twelve months in which compliance contributions are not due. The MGA requires operators to demonstrate AML compliance, maintain adequate share capital, and implement robust responsible gambling tools as ongoing license conditions.

Germany

Germany's iGaming regulatory environment has shifted significantly in recent years. The Fourth State Treaty on Gambling (Glücksspielneuordnungsstaatsvertrag), which came into force in 2021, introduced online casino games and poker under a federal licensing framework, but with restrictions. Online table games such as blackjack and roulette have historically been permitted only under a state monopoly. In February 2025, Baden-Württemberg allowed residents to play online blackjack and roulette through the state-owned Toto-Lotto GmbH. All licensed operators in Germany must integrate with OASIS, the national centralized self-exclusion system, and complete immediate KYC verification at sign-up. Germany also imposes deposit limits and stake restrictions.

Netherlands

The Netherlands legalized online gambling in 2021 and is regulated by the Kansspelautoriteit (KSA). The KSA applies strict responsible gambling requirements including mandatory integration with the national CRUKS self-exclusion system. Universal deposit limits and enhanced advertising restrictions have been proposed in 2025, reflecting the KSA's ongoing tightening of the regulatory environment.

Italy

Italy runs one of the most expensive licensing regimes in the EU. Each online gambling concession costs €7 million, the highest licensing fee in the bloc, and operators pay an additional 3% annual tax on net revenue. Italy launched a major tender process in 2025 for new concessions, requiring applicants to be incorporated within the EU or EEA, maintain a registered office in Italy for tax purposes, and comply with ISO certifications for quality management, social responsibility, and data security. The Italian regulator ADM has also launched an AI-driven compliance enforcement plan covering the period 2025 to 2027.

Spain

Spain operates a competitive federal licensing system through the Directorate General for the Regulation of Gambling (DGOJ). Advertising is heavily restricted, with a blanket ban on gambling ads between 1am and 5am, and limitations on sponsorships and bonus promotions. Spain implemented a behavioral risk detection algorithm in 2023 that is due to become mandatory for all operators in 2026.

The KYC Obligation: What It Actually Requires

Know Your Customer is the operational heart of AML compliance in iGaming. Under both current directives and the forthcoming AMLR, EU iGaming operators are required to verify the identity of every player before allowing deposits, bets, or withdrawals. The previous practice in some jurisdictions of allowing a grace period before verification was completed has been eliminated across major markets.

In Germany, instant KYC at sign-up has been mandatory since 2025. In the UK (which retains close alignment with EU-equivalent standards in this area), the 72-hour verification grace period was eliminated, requiring immediate identity and age verification before a player can deposit. These developments reflect a broader EU regulatory expectation that operators will not allow gameplay to commence before identity is confirmed.

What KYC actually requires from operators in practice is the following. Identity verification must use government-issued documentation such as a passport or national identity card. The verification process must be robust enough to satisfy the operator's AML risk assessment. For players identified as politically exposed persons (PEPs) or those engaging in high-value transactions, enhanced due diligence (EDD) is required. The AMLR harmonises the definition of PEPs across all member states, ending the current divergence in who counts as a PEP under national law.

The EU's eIDAS regulation and the forthcoming eIDAS 2.0, which mandates at least one EU Digital Identity Wallet per member state by end of 2026, will provide a harmonised digital onboarding pathway. Under the AMLR, eIDAS-compliant digital identification is treated as equivalent to face-to-face verification, which is significant for operators running fully digital onboarding flows. By 2027, all obliged entities will be required to accept the EU Digital Identity Wallet for KYC and AML onboarding.

Transaction Monitoring and Suspicious Activity Reporting

KYC at onboarding is only the starting point. Ongoing transaction monitoring is a separate and continuing obligation that runs for the entire duration of the player relationship.

EU iGaming operators are required to monitor player transactions for patterns consistent with money laundering or terrorist financing. This means building or procuring systems capable of real-time transaction scoring, sanction list screening, PEP monitoring, and automated suspicious activity flagging. Under the AMLR, suspicious activity reports must be submitted to the relevant Financial Intelligence Unit (FIU) and, once submitted, FIU requests must be responded to within five working days.

The AMLA framework introduces the concept of perpetual KYC, meaning that transaction monitoring is not a one-time event but a continuous process that triggers re-verification when risk indicators change. High-risk customers must be reviewed at least annually regardless of whether a specific trigger has occurred.

In Italy, the ADM's 2025 to 2027 national compliance plan explicitly requires cooperation with the Financial Intelligence Unit and the Financial Police, and mandates transaction monitoring as a named compliance obligation for all licensed operators.

A European cash payment cap of €10,000 applies from 2027 under the AMLR, above which cash transactions between businesses are prohibited. Operators will also be required to verify and identify customers for cash-equivalent transactions of €3,000 or more.

GDPR and Data Protection in iGaming

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies to all iGaming operators processing personal data of EU residents, regardless of where the operator is established. For a sector that collects identity documents, behavioral data, payment information, and transaction histories, this is not a peripheral obligation.

GDPR compliance in iGaming requires lawful basis for all data processing activities, including explicit consent where consent is the chosen basis. Players have the right to access their data, request its correction or deletion, and object to processing, including profiling. Data minimisation principles mean operators should not collect more information than is necessary for the stated purpose.

The tension between GDPR's data minimisation principles and AML's data retention requirements is a real operational challenge. AML obligations under both the current directives and the AMLR require operators to retain identity verification and transaction records for defined periods. GDPR does not override these obligations but requires that data is not retained for longer than legally required and that access to retained data is appropriately restricted.

Violations of GDPR carry a two-tier fine structure. Severe violations, including processing without lawful basis or failing to respect data subject rights, can attract fines of up to €20 million or 4% of global annual turnover, whichever is higher.

Responsible Gambling: From Obligation to Operational Commitment

Responsible gambling requirements have moved from a peripheral compliance concern to a central regulatory priority across the EU. The direction of travel is consistent: regulators in every major market are requiring more of operators, with greater granularity, stronger enforcement, and higher penalties for failures.

The baseline responsible gambling toolkit that is now expected across most EU markets includes deposit limits, loss limits, session time limits, reality checks, self-exclusion options, and referral pathways to problem gambling support services. In Germany, OASIS integration is mandatory and means that a player who self-excludes through any licensed operator is immediately excluded from all licensed platforms. The Netherlands has the CRUKS system, which functions in the same way. Spain's national self-exclusion register, RGIAJ, operates on the same cross-operator model.

Beyond tools, advanced markets are now requiring operators to deploy automated behavioral detection systems that identify indicators of problem gambling in real time, triggering account assessments, additional verification, or temporary suspensions where necessary.

The UK provides a useful benchmark for where EU markets are heading. As of October 2025, UKGC rules require operators to enforce deposit limits before a player's first deposit, simplify spending review processes for customers, and send reminders every six months prompting customers to review their financial limits. Spain's mandatory behavioral risk algorithm, coming into force in 2026, follows the same logic.

The Advertising Rules Operators Cannot Ignore

Advertising is one of the highest-risk compliance areas for EU iGaming operators, combining national gambling law, the Digital Services Act, and GDPR into a framework that varies sharply between jurisdictions.

The common thread across major EU markets is restriction rather than prohibition. Italy has significant advertising restrictions in place. Spain bans gambling ads between 1am and 5am and limits sponsorships. Sweden imposes strict rules on promotional content. The Netherlands continues to tighten its advertising framework. In practical terms, a campaign that is fully compliant in Malta could generate enforcement action in Germany, Spain, or the Netherlands.

The EU's Digital Services Act adds an additional layer by requiring platforms to be transparent about advertising targeting, prohibiting targeted advertising directed at minors, and creating new obligations around so-called very large online platforms. Where iGaming operators use third-party digital platforms for advertising, they inherit obligations around how targeting parameters are set and documented.

iGaming Compliance Requirements: A Country Comparison Table

Note: All operators across EU member states are subject to GDPR (Regulation (EU) 2016/679) and the EU AML directives, in addition to national licensing requirements. The AMLR (Regulation (EU) 2024/1624) will apply directly from 10 July 2027.

Cybersecurity: The Compliance Obligation Operators Underestimate

Cybersecurity sits at the intersection of licensing, GDPR, and AML compliance and is increasingly treated as a core regulatory expectation in its own right.

iGaming platforms touch identity documents, payment data, behavioral profiles, and live transaction flows. This makes them attractive targets for account takeover attacks, credential abuse, bonus fraud, money-laundering attempts through player accounts, and data breaches. Regulatory expectations across the EU now include encryption of personal and financial data at rest and in transit, access controls limiting who within the organisation can view sensitive player information, real-time fraud monitoring integrated with AML transaction monitoring, incident response procedures, and regular independent technical audits.

The MGA's licensing process includes a system and compliance audit carried out by an approved independent auditor before a license is issued and at defined intervals during the license period. Italy's 2025 concessions require compliance with ISO certifications covering data security as a condition of market entry. GDPR imposes a 72-hour mandatory breach notification requirement to the relevant supervisory authority when a personal data breach is likely to result in a risk to individuals' rights and freedoms.

The 2027 Compliance Deadline and What Operators Should Do Now

The AMLR and AMLD6 apply fully from 10 July 2027. For compliance teams, the working timeline is considerably shorter than that date implies.

AMLA is required to publish 23 sets of regulatory technical standards by July 2026. Most of these will directly affect how iGaming operators structure their CDD procedures, their UBO verification workflows, their enhanced due diligence for high-risk customers, and their suspicious activity reporting. Operators who wait until 2027 to read and respond to those standards will not have time to implement them.

The practical steps for iGaming compliance teams between now and 2027 are as follows.

Conduct a gap analysis against the AMLR requirements, not the current directive. The AMLR introduces changes in CDD, UBO thresholds, PEP definitions, and perpetual KYC that will require process redesign, not just policy updates.

Review your UBO data and reassess shareholder and ownership structures for corporate clients and B2B partners. The harmonised beneficial ownership definition may bring additional individuals within scope.

If your platform accepts cryptocurrency, audit your crypto payment processes against the Travel Rule and the AMLR's CDD requirements for crypto-asset transactions.

Engage with AMLA's consultation processes on the technical standards. For businesses with legal and compliance teams, participating in or monitoring these processes is the earliest possible indication of what the detailed requirements will look like.

Review jurisdiction-specific obligations in each market where you hold a license. The AMLR does not replace national licensing law or jurisdiction-specific responsible gambling requirements.

About SpeedyDD

At SpeedyDD, our mission is to help complex and regulated businesses stay audit-ready without the operational burden that compliance typically carries.

We built SpeedyDD specifically for industries where the stakes of a compliance failure are high: companies in iGaming, financial services, payment processing, and other regulated sectors where KYC, KYB, and ongoing due diligence are not optional extras but operational necessities.

SpeedyDD connects with over 30,000 corporate registry data sources across more than 200 countries and territories, giving compliance teams access to the entity data they need to conduct thorough due diligence on business partners, licensees, suppliers, and counterparties.

For iGaming operators managing multi-jurisdictional compliance, maintaining audit readiness means having a traceable, documented, and continuously updated picture of every entity in your operational ecosystem. That is what SpeedyDD is designed to make possible.

Frequently Asked Questions

Is there a single EU-wide iGaming license?

No. There is no single EU iGaming license that authorizes operation across all member states. Each EU country maintains its own licensing framework, and a license from one jurisdiction, including Malta, does not automatically authorize an operator to accept players in other member states. Operators must assess product legality, licensing requirements, advertising rules, and AML obligations market by market.

Which EU-level regulations apply to all iGaming operators regardless of national license?

GDPR (Regulation (EU) 2016/679) applies to all operators processing personal data of EU residents. The current AML directives (AMLD4 and AMLD5) apply to iGaming operators as obliged entities. From 10 July 2027, the AMLR (Regulation (EU) 2024/1624) will apply directly and uniformly across all member states. The Digital Services Act and the EU Travel Rule for crypto-asset transfers also apply where relevant.

What is the AMLA and when does it become relevant to iGaming operators?

The AMLA is the European Anti-Money Laundering Authority, established under Regulation (EU) 2024/1620 and operational since 1 July 2025. It is headquartered in Frankfurt and will directly supervise around 40 of Europe's highest-risk financial institutions from 2027. More immediately for iGaming, AMLA is responsible for publishing the technical standards under the AMLR, most of which are due by July 2026 and will define how CDD, UBO verification, and suspicious activity reporting work in practice.

What is the difference between KYC and KYB in an iGaming context?

KYC (Know Your Customer) refers to the identity verification of individual players, including age verification, identity document checks, and source of funds for high-value accounts. KYB (Know Your Business) applies to corporate counterparties, B2B suppliers, payment providers, affiliate networks, and other business relationships. Both are required under AML obligations. KYB typically involves verifying the legal existence of the business entity, identifying ultimate beneficial owners, and assessing the risk profile of the business relationship.

What does the AMLR change about beneficial ownership verification?

The AMLR harmonises the definition of beneficial ownership across all EU member states. A beneficial owner is anyone with at least 25% ownership, voting rights, or other ownership interests in a company. For high-risk sectors, the European Commission may lower the threshold to 15%. The AMLR also strengthens requirements for the accuracy and accessibility of national beneficial ownership registers, requires reporting of discrepancies between internal records and official registers, and interconnects national registers through the BORIS system for cross-border checks.

What are the penalties for non-compliance in EU iGaming?

Penalties vary by jurisdiction and by the type of violation. GDPR violations can attract fines of up to €20 million or 4% of global annual turnover for severe breaches. National gambling regulators have their own enforcement powers: the MGA can revoke licenses and impose administrative penalties under the Gaming Act. National AML supervisors apply their own sanction regimes, which the AMLD6 harmonises to a degree. In practice, documented enforcement actions in the iGaming sector have included multi-million euro and multi-million pound fines, license suspensions, and public enforcement notices.

Do iGaming operators need to comply with GDPR even if they are licensed outside the EU?

Yes. GDPR applies based on where the data subject is located, not where the operator is established. An operator licensed in a non-EU jurisdiction but offering services to EU residents is subject to GDPR if it monitors the behavior of EU residents or offers goods and services to them. This is a commonly misunderstood point that has practical implications for any operator accepting EU players, regardless of license location.

How does responsible gambling compliance interact with GDPR?

Responsible gambling tools require operators to collect and analyze player behavioral data to identify risk indicators. This processing must have a lawful basis under GDPR. In many cases, operators rely on either consent or legitimate interests, but the latter requires a documented balancing test. Data used for behavioral monitoring must be handled with the same data protection standards as all other personal data, including appropriate retention limits, access controls, and security measures. Operators must be able to demonstrate compliance with both frameworks simultaneously.

What is perpetual KYC and does it apply to iGaming?

Perpetual KYC (pKYC) is the concept of continuously monitoring and updating customer due diligence information throughout the relationship rather than conducting periodic static reviews. The AMLA framework introduces formal pKYC requirements: high-risk customers must have their information updated at intervals not exceeding one year, and lower-risk customers at intervals not exceeding five years, with continuous monitoring throughout. iGaming operators with players classified as high-risk must build systems capable of meeting this ongoing obligation from 2027.

Is cryptocurrency use in iGaming legal in the EU?

It depends on the jurisdiction. The MGA has been among the first EU regulators to develop a formal policy on cryptocurrency and distributed ledger technology in gaming. Other jurisdictions are more restrictive. Across the EU, the MiCA regulation (Markets in Crypto-Assets, Regulation (EU) 2023/1114) now provides the licensing framework for crypto-asset service providers, and iGaming platforms accepting crypto payments must ensure their payment infrastructure meets MiCA requirements as well as the AML Travel Rule, which requires full traceability of all crypto-asset transfers.