GH GambleHub

License of Spain

1) Overview and positioning

DGOJ (Dirección General de Ordenación del Juego) is one of the EU's most demanding regulators. The mode is focused on high consumer protection: strict Responsible Gaming rules, clear advertising and bonus restrictions, mature KYC/AML requirements and provable IT controls. The license is valued by banks/PSPs and major content vendors, but requires evidence-first discipline.

To whom is relevant:
  • Operators building a long-term brand in the EU with an emphasis on compliance and reputation.
  • B2B platforms/aggregators/studios working with the European operator pool.

2) Types of licenses and perimeter

B2C (operator): casino/slots, betting, poker, bingo, etc. for players located in Spain. Full perimeter: cashier/payout, KYC/AML, RG, advertising/affiliates, support, regulatory and fiscal reporting.
B2B/suppliers: requirements depend on role (platform, content, hosting); compatibility, integration acts and telemetry export for licensees are mandatory.
Personal roles: MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments).

💡 With the B2C + B2B portfolio, processes, journals and reporting are separated.

3) Responsible Gaming (mode core)

RGIAJ - national system of self-exclusion: the operator is obliged to check each player; access is blocked when recording is active.
Player tools: deposit/loss/time limits, reality checks, timeouts/cooling, activity history, night activity restrictions (according to internal policies and requirements).
Behavioral monitoring: early signs of problem play, soft/hard intervention protocols, contact and outcome log, escalation to RG service.
Bonuses and promos: strictly regulated; banning misleading mechanics, transparent T & Cs, aggressive retarget restrictions.

4) KYC/AML and sanctions

KYC: verification of the identity/age of citizens by DNI, foreigners by NIE/passport; address/residence - according to documents/sources.
Risk-based AML/CTF: player/geo/payment method profiles, PEP/sanction lists, EDD triggers, decision log, STR/SAR procedures.
Transactional monitoring: velocity/anomalies, control of sources of funds on suspicion, limit rules and behavioral models.
Crypto/on-chain (if applicable): wallet policy, analytics providers, lead control.

5) Advertising, affiliates and communications

Age barriers and sites: strict targeting controls; prohibitions on misleading promises, labeling requirements.
Time windows and content: limiting broadcast time/ad formats; increased attention to the protection of minors and vulnerable groups.
Affiliates: contractual responsibility for RG/AML/data; white-list channels, creative audit, stop procedures and traffic traceability.
Influencers/streams: additional audience requirements, transparency of placements and T & C.

6) Data and Privacy (GDPR/AEPD)

Legality and minimization: DPIA for high-risk processes; PII/PAN storage is minimal and for the purposes; access control and logging.
Subject's rights: access/correction/removal/portability within the scheduled time frame; procedural guides for support.
Incidents/breach: regulator/entity notification plans, investigation and remediation log.
Cross-border flows: DPAs with processors, controlled transmissions, and residency of critical datasets.

7) Technical standards: SDLC/observability/safety/DR

SDLC and releases: staging pipelines, change control, artifact and SBOM signatures, rollback policy, "no humans in prod," provable release log.
Observability: structured logs (without PAN and unnecessary PII), metrics and traces (OTel), SLO/SLI, synthetic "deposit/CCL/output" checks, controlled retention.
Security: segmentation, mTLS, WAF/bot management, SSO/MFA/PAM, SAST/SCA/DAST in CI/CD, regular pentest and no expired critical/high.
DR/BCP: regular restore tests confirmed by RTO/RPO, exercise acts and degradation scenarios (graceful).
Anti-abuse: protection against bonus abuse, behavioral scoring, device-signals, velocity rules, monitoring complaints.

8) Payments and the "way to the wallet"

Methods: cards, A2A/open banking (PSD2), local instant rails (including popular solutions in Spain), bank transfers.
Integration requirements: idempotency, HMAC signatures webhooks, DLQ/event replay, Time-to-Wallet monitoring and authorization/success rates.
Sanctions/PEP and velocity: incoming/outgoing flow control, special procedures for returns/chargeback.

9) Reporting, taxes and renewal (high-level)

Regulatory reporting: financials and GGRs by vertical, RG metrics, complaints/incidents, structure changes/Key Persons, advertising violations and measures.
Fiscal part: building on the basis of gaming income; reconciliations with game/payout logs and PSP/bank data.
Renewal/audit: periodic checks of policies, technical controls, RG/AML and advertising; "evidence-first" packages (releases/SBOM, vulnerabilities, DR acts, RG telemetry).

💡 Specific rates/forms and frequencies should be clarified according to current regulations and your corporate structure.

10) Licensing Process: Phases and Timelines

1. Pre-fit & Gap (1-8 weeks): target verticals/channels, provider map (content/PSP/KYC), IT readiness audit, remediation plan.
2. Package of documents (4-12 weeks): corporate/finance/SoF/SoW, Key Persons, AML/RG policies/advertising/data/incidents/DR, contracts, IT architecture.
3. Technical control (4-16 weeks): SDLC/observability/safety/DR, vulnerabilities/penetration tests, acts of restore tests, integration/laboratory requirements (where applicable).
4. Review and Q&A: Beneficiary/Policy/IT/Data/Advertising questions; Key Persons interview; demonstration of logs/dashboards and RG processes.
5. Output/input (2-6 weeks): reporting, on-boarding PSP/content, dry-run of RG/AML/payment scenarios.
6. Post-duties: periodic reports/audits, renewals, variations (beneficiaries/verticals/locations).

Critical path: Key Persons → live politicians → SDLC/observability/DR (evidence) → Q & A/demo.

11) The pros and cons of DGOJ

Pluses

High consumer power of attorney and recognition with banks/PSP/media.
Clear RG/advertising standards; strong KYC quality (DNI/NIE).
Plus to brand capitalization and partnership opportunities in the EU.

Cons

Strict bonus/advertising restrictions and high OPEX compliance.
Rigid provability of processes (policies without artifacts do not work).
Low tolerance for "gray zones" and aggressive marketing.

12) Readiness checklists

12. 1 Definition of Ready

  • Perimeter (verticals/channels/payment methods) defined; payment reality confirmed (PSP/banks/local rails).
  • Назначены MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments); collected SoF/SoW and references.
  • AML/RG/Advertising/Data/Incidents/DR policies approved; trainings were held, there is an audit log.
  • SDLC: artifact and SBOM signatures, release log, "no humans in prod," rollback policy.
  • Observability: SLO/SLI-dashboards, synthetic checks "deposit/CCL/output," retention logs.
  • Security: pentest/scans closed; critical/high without overdue exceptions.
  • Content/PSP/KYC/Lab/Hosting Contracts; SLA/OLA agreed.
  • Advertising model: white-list channels, creative audit, stop procedures.
  • Integration with RGIAJ - technical and process artifacts ready.

12. 2 Definition of Done

  • Regulatory/fiscal reporting included; KPI owners are assigned.
  • PSP/onboarden content; webhooks subscribed (HMAC), idempotency and DLQ work.
  • RG tools are active; intervention telemetry and a decision log are maintained; requests in RGIAJ - in the stream.
  • DR/BCP: restore tests were carried out and certificates were issued; RTO/RPO is normal.
  • Advertising/affiliates: whitelisting, creative auditing, violation and action log.

13) RACI (example)

AreaResponsibleAccountableConsultedInformed
AML/RG/data/advertising (policy)Compliance LeadCOO/Head of ComplianceLegal, SecurityProduct, Support
Key Persons/SoF/SoWLegal LeadCEOComplianceBoard
SDLC/observability/DRPlatform/SRE LeadCTOSecurityAll teams
Pentest/vulnerabilitiesSecurity LeadCTOVendors, SRECompliance
Contracts (PSP/KYC/Content)Payments/Content OpsCOOLegal, SecurityFinance
Package/Q & A/DemoProgram ManagerCOOAll LeadsStakeholders

14) Risks and mitigation

RiskSignMitigating measure
Key Persons DelaysAdd. inquiries/interviewsEarly collection, reserve candidates
Advertising/bonus violationsComplaints/finesWhitelisting, auditing creatives, hard T & Cs
"Paper" RG policiesClarifications/prescriptionsIntervention telemetry, reports, runbooks
Vulnerabilities/PentestExpired critical/highSAST/SCA/DAST in CI, policy-as-code, quick fixes
Payment incidentsLoss/takes webhooksIdempotence, HMAC, DLQ/replay, TtW monitoring
RGIAJ Thread FailureAccess to players from the registryMandatory online verification, fallback scripts

15) 90-180 Day Roadmap (example)

Month 1-2: gap analysis, Key Persons assignment, SDLC/observability/safety remediation, lab reservations.
Month 2-3: collection of corporate package/policies, pentest/scans, DR acts, contracts with PSP/KYC/content, integration with RGIAJ.
Month 3-4: submission, Q&A prep/interview, dry-run demos (dashboards, magazines, RG/AML/ad scripts).
Month 4-6: Q & A/variations, finalization, on-boarding payments/content, inclusion of reporting.

Summary

DGOJ's Spanish license is a strict but predictable mode with a focus on Responsible Gaming (RGIAJ), advertising/bonus discipline, mature KYC/AML, and provable IT controls. If you are ready for "evidence-first" culture (SDLC/observability/security/DR, RG telemetry, transparent reporting) and respect local marketing rules, Spain gives access to a high-confidence payment ecosystem and strengthens brand capitalization in the EU.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.