License of Italy

1) Overview and positioning

ADM — Agenzia delle Dogane e dei Monopoli (бывш. AAMS) regulates remote gambling (GAD - Gioco a Distanza). The model is a concession with high requirements for due diligence, RG/AML, data protection and strict technical integration with the central system. The market is mature, the payment ecosystem is developed, but there is a strict ban on public advertising and sponsorships - the operator relies on organic matter, SEO, its own channels and strict CRM compliance.

• Brands targeting sustainable EU footprint, ready for evidence-first discipline and work without classic perf marketing.
• Platforms/B2B building a portfolio of integrations with Italian licensees and ready for ADM certification.

2) Permit types and perimeter

B2C GAD concession (operator): front/back office, cash desk/payments, KYC/AML, RG, support, reporting, integration with the central ADM system. Verticals: casino/slots, betting, poker, bingo, etc.
B2B/suppliers (platforms, content, live studios): software/integration certification, contract SLA/OLA with licensees, telemetry export.
Personal roles: MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments).

3) Responsible Gaming

RUA - Registro Unico delle Autoesclusioni: mandatory online self-exclusion check before granting access to the game.
Player tools: deposit/loss/time limits, timeouts, self-exclusion, reality-checks, activity history.
Behavioral cues and interventions: early risk identification, soft/hard intervention protocols, journal of contacts and outcomes.
Communication: careful scenarios, prohibition to stimulate vulnerable users and minors.

4) AML/KYC (risk-based)

KYC: Document Identity/Age Confirmation and Codice Fiscale; address/residence - by secondary sources. Until KYC is complete, access is limited.
AML/CTF: customer/method profiles, PEP/sanctions, EDD triggers, STR/SAR procedures, decision and escalation log.
Transactional monitoring: velocity/anomalies, source of funds on suspicion, case management.
Crypto/on-chain (if applicable): wallet policy, traceability, provider limits/block lists.

5) Advertising, Affiliates and CRM

Decreto Dignità: Effectively bans public advertising and gambling sponsorships. Any communication is under a microscope.
Affiliates: work is possible only within the strict framework of informing (without promotional pressure); contractual obligations for RG/AML/data, channel whitelists, material audits, stop procedures.
CRM/letters/SMS/push: information service communications and strictly compliant scenarios are allowed; aggressive retarget/bonus spam - unacceptable.
UX and storefronts: transparent T & Cs, no "easy win promises," underage defense.

6) Data and privacy

GDPR and Garante Privacy: legality and minimization, DPIA for high-risk operations, access control and logging.
DSR procedures: access/correction/removal/portability - within the scheduled time frame.
Location/data streams: controlled cross-border transmissions, DPA with processors, retention by data class.

7) Technical standards and integrations

Central ADM system: the operator is obliged to transfer transactional data/reporting through certified interfaces; continuity and accuracy are critical.
SDLC/releases: staging pipelines, change control, artifact and SBOM signatures, rollback policy, "no humans in prod," provable release log.
Observability: logs (without PAN/extra PII), metrics and traces (for example, OTel), SLO/SLI (latency p95/p99, error-rate), synthetic "deposit/ACC/output" checks, controlled log retention.
Security: mTLS/segmentation, WAF/bot management, SSO/MFA/PAM, vulnerabilities (SAST/SCA/DAST) in CI/CD, regular penetration test, no expired critical/high.
DR/BCP: regular restore tests confirmed by RTO/RPO, exercise acts; graceful-degradation scripts.
Anti-abuse: protection against bonus abuse and fraud, device-signals, velocity rules, behavioral scoring.

8) Payments and the "way to the wallet"

Methods: cards, bonifico (bank transfer), PostePay, A2A/Open Banking (PSD2), local instant rails/wallets, payments to bank details.
Integrations: idempotency, HMAC signatures webhooks, DLQ/event replay, Time-to-Wallet monitoring and authorization/success rates, returns reporting/chargeback.
Sanctions/PEP and velocity: incoming/outgoing flow control, limits, manual trigger checks.

9) Reporting, taxes and renewal (high-level)

Regulatory reporting: GGR by verticals, RG metrics, complaints/incidents, changes in the structure/Key Persons, reports on central system interfaces.
Fiscal part: built around game income with adjustments (bonuses/jackpots); reconciliations with game/payout logs and PSP/bank data are mandatory.
Renewal/audit: periodic checks of policies, technical controls, RG/AML and compliance with advertising restrictions; "evidence-first" packages (releases/SBOM, vulnerabilities, DR acts, RG telemetry).

10) Licensing Process: Phases and Timelines

1. Pre-fit & Gap (1-8 weeks): verticals/channels, provider map (content/PSP/KYC), IT readiness audit, remediation plan, CRM communications design taking into account advertising ban.
2. Package of documents (4-12 weeks): corporate/finance/SoF/SoW, Key Persons, AML/RG policies/data/incidents/DR, contracts, IT architecture and integrations with a central system.
3. Technical control/certification (4-16 weeks): SDLC/observability/security/DR, vulnerabilities/penetration tests, acts of restore tests, requirements for ADM interfaces.
4. Review and Q&A: Beneficiary/Policy/IT/Data/Advertising questions; Key Persons interview; demonstration of logs/dashboards and RG/AML/payment scenarios.
5. Output/input (2-6 weeks): reporting, on-boarding PSP/content, test with central system, dry-run RG/AML/payments.
6. Post-duties: periodic reports/audits, renewals, variations (beneficiaries/verticals/locations).

Critical path: Key Persons → live policies → SDLC/observability/DR (evidence) → central system interfaces → Q & A/demo.

11) The pros and cons of ADM

Pluses

High confidence of banks/PSPs and content partners.
Predictable technical model with a central system and mature standards.
Plus to the capitalization and sustainability of the portfolio in the EU.

Minuses

Complete ban on public advertising: the role of organics, product and CRM compliance is growing.
High compliance OPEX and rigorous process provability.
Demanding integration and reporting into the central system.

12) Readiness checklists

12. 1 Definition of Ready

• Perimeter (verticals/channels/payment methods) defined; payment reality confirmed.
• Назначены MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments); collected SoF/SoW and references.
• AML/RG/data/incidents/DR policies approved; there are trainings and a journal of audits.
• SDLC: signatures + SBOM, release history, "no humans in prod," rollback policy.
• Observability: SLO/SLI-dashboards, synthetic checks "deposit/CCL/output," retention logs.
• Security: pentest/scans without expired critical/high; remediation plan.
• Content/PSP/KYC/Lab/Hosting Contracts; ADM interface requirements agreed.
• Model without public advertising: channel whitelists, inform communication templates, stop procedures.

12. 2 Definition of Done

• Regulatory/fiscal reporting included; KPI owners are assigned.
• Central system interfaces are stable; SLA monitoring.
• PSP/onboarden content; webhooks with HMAC, idempotency and DLQ in prod.
• RG tools are active; intervention/self-exclusion telemetry (RUA) is underway.
• DR/BCP: restore tests were carried out and certificates were issued; RTO/RPO achieved.
• CRM/affiliates: only valid inform channels; audit of materials; log of violations and measures.

13) RACI (example)

14) Risks and mitigation

15) 90-180 Day Roadmap (example)

Month 1-2: gap analysis, Key Persons assignment, SDLC/Observability/Security remediation plan, ADM interface alignment.
Month 2-3: collection of corporate package/policies, penetration tests/scans, DR acts, PSP/KYC/content contracts.
Month 3-4: submission, preparation for Q & A/interviews, dry-run demonstrations (dashboards, magazines, RG/AML/payments/ADM interfaces).
Month 4-6: Q & A/variations, finalization, on-boarding of payments/content, inclusion of reporting and stable integration with the central system.

Brief conclusion

The Italian ADM license is a strict but predictable regime with a unique bundle: concession + ban on public advertising + central reporting system. Success here relies on evidence-first culture (SDLC/observability/safety/DR), RG/AML/RUA discipline, knowledgeable KYC on Codice Fiscale and neat work without aggressive marketing. With this approach, Italy becomes a sustainable pillar of the European portfolio and increases brand capitalization.