GH GambleHub

Cyprus - National Betting Authority

(Section: "Markets and Jurisdictions")

1) Market picture

Cyprus is an EU member with developed offline retail rates and regulated online betting. The regulator, the National Betting Authority (NBA), licenses, supervises, protects players and controls advertising. Online casino games are not allowed; the online segment is limited to bets (sports/virtuals, etc., within the betting law).

2) Regulators and roles

Parliament/Government - a framework law on rates and by-laws.
NBA (National Betting Authority) - issue/renewal of licenses, register of operators, technical and behavioral supervision, Responsible Gaming, sanctions.
Police/Financial Intelligence - AML/CFT coordination and investigations.
Tax authorities - administration of fiscal accruals, verification of payments.
Municipal authorities - rules for offline points (zoning, operating hours, etc.).

3) License classes

Class A (offline betting) - betting activities at betting points. Required: room, zoning/signage compliance, cash discipline, trained personnel, CCTV, etc.
Class B (online bets) - remote bets through sites/applications. Required: IT loop with logging, reporting interfaces for NBA, platform/generator certification, RG and AML mechanics.
Key persons - directors/beneficiaries are tested for suitability and source of funds.
A legal entity is usually an EU/EEA company registered in Cyprus or a branch in Cyprus, local representatives and a bank account.
Guarantees/fees - license fees and bank guarantee (to cover obligations to players and fisk).

4) Taxation and payments to the budget

The fiscal model focuses on gross gambling income from betting (NGR/GGR for betting):
  • Betting tax: usually 10% of NGR (bets − wins, excluding permissible adjustments).
  • Earmarked contributions: an additional 3% of NGR (allocated to sports/supervision/profile funds).
  • Corporate income tax (CIT) is a nationwide rate for legal entities.
  • VAT - bets/winnings are usually outside the scope of VAT; related services (IT/marketing) - according to general rules.
  • Player wins - taxation on individual conditions (the operator must have an up-to-date retention/message matrix).

Reporting and calculation base

Separate accounting offline/online, sport/product, bonuses, void/cashout.
Monthly declarations and recurring payments; annual report and audit.
Storage of the primary (logs, billing, transactions) - the period established by law.

5) IT circuit and regulator access

NBA data access: interfaces/uploads, API checks, secure channels.
Infrastructure: fault tolerance, redundancy, unchanging logs (WORM), time synchronization (UTC), detailed event logs for bets/wins/bonuses/limits.
Certification: betting platform, RNG for virtual views, coefficient calculation module, reporting tools.
DR/BCP: disaster recovery plan, RPO/RTO, regular tests.
Data protection: encryption at rest/transit, secret management, RBAC/SoD, pentests.

6) AML/CFT and identification

KYC/KYB: identification at registration/before first payment; verification of age (18 +), POP/sanctions, source of funds for triggers.
Monitoring: limits of deposits and rates, scenarios of atypical behavior, connections of accounts/payment instruments, reports to financial intelligence on suspicious transactions.
Data providers: sanction/POP databases, proven SLA and accuracy.
Storage: KYC dossiers, logs of inspections and alerts within the statutory deadlines.

7) Responsible Gaming (RG)

Tools: limits (deposit/rates/time), timeouts, self-exclusion (single lists), noticeable RG showcase, age warnings.
Communications: no promises of "guaranteed winnings," transparent T&C bonuses, correct information about chances and risks.
Support: separate escalation process for vulnerable players; personnel training.

8) Advertising, marketing, affiliates

Prohibitions: targeting minors, "aggressive" offers, hidden conditions.
Bonus requirements: understandable wagers, mouthguards, terms; accounting for bonuses is reflected transparently in NGR.
Affiliates: written contracts, approval of creatives, compliance evidence log (screenshots/URLs/dates), quick recall of violating materials.
Creatives: mandatory RG markings, restrictions on imagery/messages.

9) Offline points (Class A)

Locations: compliance with municipal rules for placement and signs.
Requirements: employee training, cash discipline, CCTV, storage of records, prohibitions for 18-.
Operating procedures: collection, accounting of bets/winnings, log of denial of service on RG/AML grounds.

10) Checks and sanctions

Office: comparison of reporting, payment discipline, customer complaints.

Outbound: IT audit, ticket/transaction sampling, staff survey, "mystery shoppers."

Sanctions: fines, additional charges, freezing/revoking licenses, blocking domains/payments.
Mitigation: voluntary disclosure of errors, corrective measures, increased control.

11) Entry roadmap

1. Strategy: product (sports/virtuals), offline/online, partners and providers.
2. Legal registration: group structure, Cypriot company/branch, banks.
3. NBA application: document package, warranty, key persons, RG/AML policy.
4. Technical readiness: platform, reporting interfaces, logs, certification.
5. Pilot: NGR test uploads, coefficient and calculation verification, UAT.
6. Go-Live: incident regulations, freeze configurations, NBA communications.
7. Operations: monthly declarations, deviation control, internal audit.

12) Compliance checklists

Licensing and Finance

  • Class A/B license and valid bank guarantee
  • Local responsible persons assigned
  • Reporting and payment calendar (tax + 3% installments)
  • Contract with Auditor and Primary Storage Procedure

AML/KYC & RG

  • KYC/KYB policies, trigger thresholds, monitoring scripts
  • Sanctions/POP providers, SLAs and data quality
  • Operational RG showcase, limits/timeouts, self-exclusion process
  • Financial Intelligence Reporting and Logging Procedures

Engineering and safety

  • Platform/module certification, version control
  • Immutable logs, time synchronization, redundancy
  • DR plan (RPO/RTO), regular penetration tests/vulnerability scans
  • RBAC/SoD, secret management, encryption

Marketing & Affiliates

  • Rebate T&C revision, correct NGR calculations
  • Approved Creative Directory and Audit Trail
  • Procedures for quick recall of offending materials

13) KPI and operational control

Fiscal: timeliness of declarations ≥99%, accuracy NGR (discrepancy <0.5%).
AML/KYC: average verification time, share of false positives, SLA by escalations.
RG: share of players with active limits, support response time to RG requests.
InfoBase: MTTR incidents, pentest coverage, closing vulnerabilities on time.
Marketing: the share of compliant creatives, the speed of reviews, the quality of traffic on RG.

14) FAQ

Can I offer online casinos in Cyprus?
No, it isn't. Online rates are allowed (class B). Online casino games are not allowed.

Is a Cypriot company needed?
As a rule, a Cypriot legal entity or a branch of an EU/EEA company in Cyprus, local representatives and a bank account are required.

What is the tax model?
Standard 10% of NGR at rates + 3% of earmarked contributions. Plus CIT for legal entities.

How does NBA control work?
Monthly reporting, access to logs/uploads, inspections (desk/field), sanctions for RG/AML/advertising violations.

Ad notata

Specific rates of fees, the size of bank guarantees, reporting formats and lists of documents are periodically updated by NBA acts. Before applying and starting, check the latest forms and technical specifications to avoid additional charges and stops.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.