Norway - Lotteri- og stiftelsestilsynet

(Section: "Markets and Jurisdictions")

1) Market picture and regulator

• Norsk Tipping - betting, online games/casino formats, instant lotteries.
• Norsk Rikstoto - mutual bets on horse racing.
• Private B2C operators cannot work in Norway without a state mandate. For B2B providers, partnerships are possible exclusively through the contours of state operators (under tenders/content supply contracts/platform services).

2) Roles and responsibilities

Ministry of Culture and Equality - gambling and advertising policy, framework acts.
LST - control of compliance with the law, inspections, prescriptions, blocking registers, coordination of responsible play, sanctions.
Nkom/communication providers - execution of domain/advertising locks as prescribed.
Banks and PSP - execution of payment block regulations for unlicensed sites.
Consumer protection bodies and media supervision - control of advertising messages and marketing practices.

3) What is allowed and what is forbidden

Allowed: activities of Norsk Tipping and Norsk Rikstoto; charity/social lotteries for special admissions with a limited food set.
Prohibited: B2C activities of private casino/slot/betting operators without a government mandate; aggressive advertising of gambling, targeting minors; offering services from non-whitelisted domains.
Block measures: LST applies payment and DNS blocks to illegal resources, and also prescribes the removal of advertising and the cessation of marketing activities in Norway (including offshore media channels).

4) Tax and payment loop (high level)

The fiscal model for state operators is determined by individual acts and budget rules (target deduction model for sports/culture/social projects); for charity lotteries - a special regime with reporting discipline.
VAT: bets/winnings, usually outside the scope of VAT; related services (IT, marketing, consulting) are subject to general rules.
Payments: Banks/PSPs are required to comply with payment restrictions in favor of unlicensed providers; merchant categories and payment routes are monitored, and bypasses are suppressed.

5) AML/KYC and responsible play

KYC/KYB: identification/age (18 +), verification of sanctions/POP, confirmation of means of payment; for charitable permits - checking the suitability of organizers.
Transaction monitoring: limits, behavioral anomalies, account/payment instrument links, STR/SAR escalation to authorities.
Responsible Gaming (RG): personal deposit/loss/time limits, "timeouts," self-exclusion, visible RG storefront and access to assistance (incl. national hotline). For government operators, limits are mandatory and built into UX.
Data storage: retention of CUS/logs according to the terms of the law, GDPR compatibility, data protection at the level of European standards.

6) Advertising, promo and affiliates

Prohibitions: targeting minors and vulnerable groups; advertising "guaranteed winnings"; aggressive offers; using "streamer" channels focused on Norway to promote illegal immigrants.
Responsible communication: RG labeling, risk warnings, moderation of creatives and frequency of shows.
Affiliates: for state operators - centralized contracts/guidelines; promoting illegal brands in Norway is punishable by prescriptions and fines, including requirements to remove content and blocking advertising streams.

7) Technical requirements and access of the regulator

Logging: immutable transaction/rate/adjustment logs, time synchronization, end-to-end traceability "rate → calculation → payment → adjustment."

LST access: secure uploads/APIs, test accounts, regular requests for data (including RG/AML).
Reliability/security: DR/BCP with target RPO/RTO, encryption at rest/in transit, RBAC/SoD, periodic pentests/scans.

8) Checks and enforcement actions

Office: comparison of reporting and billing, analysis of GGR/NGR anomalies, compliance with limits and RG procedures.
Field/IT audit: log inspection, sampling sessions, staff interviews, verification of payment routes and advertising integrations.
Sanctions: fines and prescriptions, blocking domains/payments, requirements to remove advertising materials; in case of systemic violations - enhanced monitoring and judicial measures.

9) Roadmap for providers/partners

1. Model of cooperation: determine the role (content studio, platform, risk management, anti-fraud, payments, RG tools).
2. Compliance: RNG/module certification, secure development (SDLC), WORM logging, GDPR compatibility.
3. Compliance package: AML/KYC and RG policies, limit schemes, instructions for identifying vulnerable players, STR/SAR process.
4. Integration: data/reporting formats, APIs, availability and incident SLAs, DR/BCP plan.
5. Marketing: complete refusal to promote unlicensed B2C brands for Norway; compliance with the guidelines of state operators.
6. Pilot and UAT: test cases of calculations/limits/self-exclusions, correctness of billing and reporting forms.
7. Operations: incident log, compliance log, audit cycle (internal/external).

10) Compliance checklists

Legal regime and partnerships

• Confirmed: activity only through state operators (no B2C in Norway).
• B2B contracts are consistent, roles and data flows are described.
• AML/RG responsible persons assigned, contact with LST established.

AML/KYC & RG

• AML/KYC Policies and Procedures, Sanctions/PEP, Source of Funds Triggers.
• RG tools: deposit/loss/time limits, timeouts, self-exclusion; UX Showcase RG.
• STR/SAR logs and storage of KYC dossiers on time.
• Blocking marketing for self-excluded and vulnerable groups.

IT and Security

• RNG/Module Certification; version control and CI/CD with checks.
• WORM logs, time synchronization, log retention.
• DR/BCP plan, pentests/scans, RBAC/SoD, encryption.
• API/uploads for LST and test accounts.

Marketing & Affiliates

[The] ban on unlicensed brand promotions for audiences in Norway.

• Compliance log (screenshots/URLs/dates), quick feedback procedure.
• RG markings and correct T & Cs on all media.

11) KPI and operational control

Fiscal: 99% + timely reporting; discrepancy otchetnost↔billing <0.5%.
AML/KYC: average verification time, false positives fraction, escalation SLA.
RG: proportion of players with active limits; Self-exclusion TTR <1 min; the proportion of incidents by RG.
Infobez: MTTR incidents; pentesting; closing critical vulnerabilities on time.
Marketing: 0 cases of unlicensed brands being promoted to Norway; speed of recall creatives.

12) FAQ

Can I get a private B2C license?
No, it isn't. The main types of gambling are assigned to Norsk Tipping and Norsk Rikstoto.

Is there a whitelist of domains and payments?
Yes I did. LST supports domain/payment blocking mode for illegal immigrants; bank/PSP cooperation is mandatory.

How does a content/technology provider work?
Through tenders/contracts with state operators; requires tech certification, RG/AML policies, and compatible reporting formats.

What are the advertising requirements?
Severe restrictions: no targeting of minors/vulnerable, no aggressive offers; promotion of illegal immigrants is the subject of sanctions.

Note

LST regulations and guidelines are periodically updated (including payment and domain blocking practices, RG metrics and reporting formats). Before starting integrations and campaigns, check the current requirements and technical specifications to eliminate prescriptions, fines and suspensions.