GH GambleHub

Licence of Romania

1) Overview and positioning

ONJN - Oficiul Național pentru Jocuri de Noroc is Romania's national gambling regulator. The mode is considered strict and practical: the high bar of Responsible Gaming, clear advertising/bonus rules, mature requirements for AML/KYC, technical controls and reporting. The license is valued by banks/PSPs and large content vendors, suitable for long-term presence in the EU and multi-brand strategies.

To whom is relevant:
  • B2C operators focused on sustainable growth and predictable regulatory practices.
  • B2B platforms/aggregators/studios working with European portfolios and requiring recognized status.

2) Types of licenses and perimeter

B2C (operator license): casino/slots, betting, poker, bingo, etc. Perimeter: cashier/payout, KYC/AML, RG, advertising/affiliates, support, regulatory and fiscal reporting.
B2B (class II - providers): platform, content/aggregation, hosting, live studios, PSP gateways, KYC/AML providers; telemetry compatibility, certification, and export requirements.
Key roles: MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments).

💡 In mixed model (B2C + B2B) - rigid separation of processes, logs and artifacts.

3) Responsible Gaming (mode core)

Self-exclusion (national registry): the operator is required to check the status of each player online; access is blocked when recording is active.
Player tools: deposit/loss/time limits, timeouts, cooling-off, reality-checks, activity history.
Behavioral analytics: early signs of problem play, matrix of soft/hard interventions, log of contacts and outcomes, escalation to the RG team.
Communication: banning manipulative language, protecting minors and vulnerable groups, transparent T & C.

4) AML/KYC and sanctions

KYC: national document/passport proof of identity/age; verification of the address/residence by valid sources; trigger and periodic re-KYC.
Risk-based AML/CTF: customer/method/geo profiles, PEP/sanctions lists, EDD triggers, STR/SAR procedures, decision log, and audit trail.
Transactional monitoring: velocity/anomalies, sources of funds on suspicion, case management and retro checks.
Crypto/on-chain (if applicable): wallet policy, analytics providers, limits, manual checks, traceability.

5) Advertising, affiliates and communications

Age barriers/platforms: strict requirements for targeting and formats; banning misleading promises and "easy wins."

Bonus policy: restricted and regulated; T&C - clear, without hidden restrictions; aggressive retarget is prohibited.
Affiliates: contractual responsibility for RG/AML/data; white-list channels, creative audit, stop procedures, traffic traceability.
Influencers/streams: labeling, audience/content control, documenting placements.

6) Data and Privacy (GDPR/DPA)

Legality and minimization: DPIA for high-risk processes; PII/PAN storage restriction; access differentiation and logging.
Subject's rights: access/correction/removal/portability in compliance with the deadlines; response templates and escalation process.
Incidents/breach: regulator/entity notification plans, investigation log, remediation measures.
Cross-border flows: DPAs with processors, controlled transmissions and residency of critical datasets.

7) Technical requirements: SDLC/observability/safety/DR

SDLC and releases: staging pipelines, change control, artifact and SBOM signatures, rollback policy, "no humans in prod," provable release log.
Observability: structured logs (without PAN/extra PII), metrics and traces (OTel), SLO/SLI (latency p95/p99, error-rate), synthetic deposit/ACC/output checks, controlled retention.
Security: segmentation, mTLS, WAF/bot management, SSO/MFA/PAM, SAST/SCA/DAST in CI/CD, regular pentest and no expired critical/high.
DR/BCP: regular restore tests confirmed by RTO/RPO, exercise acts; graceful-degradation scripts.
Anti-abuse: protection against bonus abuse and fraud, device-signals, velocity rules, behavioral scoring.

8) Payments and the "way to the wallet"

Methods: bank cards (3-D Secure), A2A/open banking (PSD2), local instant solutions and bank transfers; receipt and withdrawal to bank details.
Integrations: idempotence, HMAC signatures webhooks, DLQ/event replay, Time-to-Wallet monitoring, authorizations and success rates, detailed reporting on returns/chargeback.
Sanctions/PEP and velocity: incoming/outgoing flow control, limits and manual trigger checks.

9) Reporting, taxes and renewal (high-level)

Regulatory reporting: finance and GGR by verticals, RG metrics, complaints/incidents, structure changes/Key Persons, advertising violations and measures.
Fiscal part: calculations based on game income, taking into account adjustments (bonuses/jackpots); reconciliations with game/payout logs and PSP/bank data.
Renewal/audit: periodic checks of policies, technical controls, RG/AML and advertising; "evidence-first" packages (releases/SBOM, vulnerabilities, DR acts, RG telemetry).

💡 Specify specific rates/forms and frequencies for your corporate structure and current regulations.

10) Licensing Process: Phases and Timelines

1. Pre-fit & Gap (1-8 weeks): verticals/channels, provider map (content/PSP/KYC), IT readiness audit, remediation plan.
2. Package of documents (4-12 weeks): corporate/finance/SoF/SoW, Key Persons, AML/RG policies/advertising/data/incidents/DR, contracts, IT architecture.
3. Technical control (4-16 weeks): SDLC/observability/safety/DR, vulnerabilities/penetration tests, acts of restore tests, integration/laboratory requirements (where applicable).
4. Review and Q&A: Beneficiary/Policy/IT/Data/Advertising questions; Key Persons interview; demonstration of logs/dashboards and RG processes.
5. Output/input (2-6 weeks): reporting, on-boarding PSP/content, dry-run of RG/AML/payment scenarios.
6. Post-duties: periodic reports/audits, renewals, variations (beneficiaries/verticals/locations).

Critical path: Key Persons → live politicians → SDLC/observability/DR (evidence) → Q & A/demo.

11) The pros and cons of ONJN

Pluses

High power of attorney for banks/PSP/media; a strong reputation in the EU.
Clear RG/advertising standards and mature AML/KYC practices.
Plus brand capitalization and B2B capabilities.

Cons

High compliance OPEX and rigorous process provability.
Strict control of advertising activities and affiliates.
Low tolerance for "gray zones" and "paper" politicians.

12) Readiness checklists

12. 1 Definition of Ready

  • Perimeter (verticals/channels/payment methods) defined; payment reality confirmed (PSP/banks/local rails).
  • Назначены MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments); collected SoF/SoW and references.
  • AML/RG/Advertising/Data/Incidents/DR policies approved; there are trainings and a journal of audits.
  • SDLC: artifact signatures + SBOM, release history, "no humans in prod," rollback policy.
  • Observability: SLO/SLI-dashboards, synthetic checks "deposit/CCL/output," retention logs.
  • Security: pentest/scans closed; no critical/high exceptions expired.
  • Content/PSP/KYC/Lab/Hosting Contracts; SLA/OLA agreed.
  • Advertising/affiliates: white-list channels, creative audit, stop procedures.
  • Integration with the national circuit of self-exclusion - design and artifacts are ready.

12. 2 Definition of Done

  • Regulatory/fiscal reporting included; KPI owners are assigned.
  • PSP/onboarden content; webhooks subscribed (HMAC), idempotency and DLQ work.
  • RG tools are active; intervention telemetry and a decision log are maintained; self-exclusion checks - in the "online stream."
  • DR/BCP: restore tests were carried out and certificates were issued; RTO/RPO achieved.
  • Advertising/affiliates: whitelisting, creative auditing, violation and action log.

13) RACI (example)

AreaResponsibleAccountableConsultedInformed
AML/RG/data/advertising (policy)Compliance LeadCOO/Head of ComplianceLegal, SecurityProduct, Support
Key Persons/SoF/SoWLegal LeadCEOComplianceBoard
SDLC/observability/DRPlatform/SRE LeadCTOSecurityAll teams
Pentest/vulnerabilitiesSecurity LeadCTOVendors, SRECompliance
Contracts (PSP/KYC/Content)Payments/Content OpsCOOLegal, SecurityFinance
Package/Q & A/DemoProgram ManagerCOOAll LeadsStakeholders

14) Risks and mitigation

RiskSignMitigating measure
"Paper" policiesMany clarifications/prescriptionsEvidence-first: magazines, dashboards, DR acts
Vulnerabilities/PentestExpired critical/highSAST/SCA/DAST in CI, policy-as-code, quick fixes
Advertising violationsComplaints/finesWhitelisting, creative auditing, stop procedures
Payment incidentsLoss/takes webhooksIdempotence, HMAC, DLQ/replay, TtW monitoring
Self-exclusion check failedAccess blockedMandatory online verification, fallback scripts

15) 90-180 Day Roadmap (example)

Month 1-2: gap analysis, Key Persons assignment, SDLC/observability/safety remediation, lab reservations.
Month 2-3: collection of corporate package/policies, pentest/scans, DR acts, contracts with PSP/KYC/content, integration project with self-exclusion registry.
Month 3-4: submission, preparation for Q & A/interviews, dry-run demonstrations (dashboards, magazines, RG/AML/advertising scripts).
Month 4-6: Q & A/variations, finalization, on-boarding payments/content, inclusion of reporting.

Summary

The Romanian ONJN license is a strict but predictable regime with a focus on Responsible Gaming, advertising/bonus discipline, mature AML/KYC, and provable IT controls. Build an evidence-first culture (SDLC/observability/security/DR, RG telemetry, transparent reporting), keep affiliates in check, and plan integrations and tests in advance. This approach opens up access to a high-confidence payment ecosystem and strengthens brand capitalization in the EU.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.