Facts on regulation

Laws, Requirements, and the New Meaning of “Reasonable Measures”

A global overview of how 2020–2025 reforms tightened—but did not fully settle—the meaning of “reasonable measures” for licensed operators and their suppliers, and how layered rules on gambling, AML, sanctions, privacy, and marketing now define the real room for manoeuvre

Intro

Since 2020, the idea of “reasonable measures” in online gambling has expanded from basic age checks and reactive controls to a dense web of obligations: risk‑based KYC and AML under EU and national rules, sanctions and access controls, data‑heavy monitoring for safer gambling, and stricter marketing standards to protect children and young adults. At the same time, privacy and data‑protection laws such as GDPR constrain how far profiling, geolocation, and retention can go, and each jurisdiction builds its own stack of rules on top of shared risks. The result is a moving target: regulators have narrowed what is acceptable, but the exact line of what counts as “reasonable” still depends heavily on where the player sits—and which regulator is asking the question.

Blue road sign with multiple white arrows and the word "REASON" symbolising different paths leading to a single idea of what is reasonable.

Many roads to “reasonable”: regulators are narrowing the range of acceptable approaches, but each jurisdiction still charts its own route.

From policies to proof of systems

A decade ago, many online operators met their obligations with static policies, basic age and ID checks, and reactive responses to clear red flags.

Today, the same term —“reasonable measures”— typically implies risk‑based KYC, sanctions screening, continuous behavioural monitoring, detailed logging and retention rules, tested intervention processes, and the ability to demonstrate all of that to regulators in multiple jurisdictions.
Regulators have become more explicit about this shift.

As the UK government put it in its 2023 reform White Paper, operators must take all reasonable steps to identify customers at risk and to intervene before harm occurs, not after the fact.

Sweden’s Gambling Authority describes reasonable measures as a duty of care that requires licence‑holders to monitor behaviour, assess individual risk, and act in a way that is appropriate and proportionate to that risk.

EU legislators now frame reasonable measures as robust, risk‑based AML programmes with harmonised due diligence, monitoring, and sanctions checks — not merely a set of written procedures under the new AML package.

From the industry side, Eric Frank, now CEO of Integrity Compliance 360 (formerly Odds On Compliance), has argued that stricter AML and KYC measures are rapidly becoming the standard, with operators treating robust safeguards as part of their long‑term licence to operate rather than a box‑ticking exercise.

Line drawing of a two‑tier cake with candles between two people organising information on large boards, symbolising the different layers and moving parts of regulatory "reasonable measures".

Mapping out the layers: “reasonable measures” are built like a multi‑tier cake, with gambling, AML, sanctions, privacy, marketing and other rules all needing to fit together in a workable system.

Drawing the map: layers of “reasonable measures”

To understand what reasonable measures mean in practice, it helps to view them as a stack of overlapping rule‑sets that apply, to different degrees, in every regulated iGaming market.

Gambling and safer‑gambling law – National gambling acts, licence conditions and technical standards define duties of care, mandatory tools (limits, self‑exclusion, reality checks) and, increasingly, expectations for real‑time monitoring of behaviour.

Marketing and youth‑protection rules – Statutes and advertising codes restrict content, bonuses, and sponsorships, especially around minors and young adults, and require “socially responsible” messaging and prominent risk information.

AML, CFT, and sanctions regimes – EU AML directives and the new AML package, plus national AML and sanctions laws – require risk‑based customer due diligence, ongoing monitoring, beneficial‑ownership checks, and screening against sanctions lists.

Criminal law on money laundering and fraud – Harmonised at the EU level by AMLD6 but implemented nationally, these rules define offences and liability when AML controls fail or are knowingly circumvented.

Cybersecurity and operational‑resilience rules – NIS2 and similar regimes treat many gambling operators and suppliers as essential or important entities, imposing structured risk‑management, incident‑reporting, and governance obligations.

Privacy and data‑protection law – GDPR and equivalent frameworks constrain profiling, geolocation, and retention, requiring operators to show that data‑intensive AML and safer‑gambling systems are necessary and proportionate.

Territorial and market‑access rules – EU internal‑market jurisprudence, national licensing models, and, in North America, state or provincial statutes define who may offer what, from where, and under which technical and hosting conditions.

Soft‑law and industry standards – Non‑binding pan‑European AML guidelines, responsible‑gambling standards, and payment‑scheme rules shape regulators’ expectations of good practice, even where they are not formally binding.

“Reasonable measures” today sit at the intersection of these layers: in any given market, theoperative definition is the particular combination of gambling and marketing rules, AML and sanctions duties, security and privacy requirements, and territorial constraints that apply to a given product and business model.

Digital world map covered in data points and light rays, symbolising global, data‑driven regulation across jurisdictions.

Global data flows and fragmented rulebooks

How the layers differ by jurisdiction

The common layers are assembled differently across key markets, which is why doing “everything right” in one jurisdiction does not guarantee that the same system will be considered reasonable somewhere else. The following are a few examples.

United Kingdom
In the UK, the gambling and safer‑gambling layer is especially prominent. Licence conditions and the 2023 White Paper require operators to take all reasonable steps to identify at‑risk customers and intervene, using financial vulnerability checks, behavioural triggers, deposit‑limit tools, and self‑exclusion systems. AML rules treat remote operators as obliged entities, with clear expectations for risk‑based KYC, ongoing monitoring, and prompt reporting of suspicious activity. Recent enforcement makes clear that minimal checks are no longer acceptable. Marketing codes restrict content likely to appeal to children or young adults and demand prominent risk messages, making promotional strategy part of the reasonable‑measures discussion. For UK‑facing operators, reasonable measures therefore describe an integrated system of financial and behavioural monitoring, controls on advertising, and unmistakable evidence that interventions are timely and effective.

Sweden and the broader EU framework
Sweden illustrates how EU‑level rules combine with national choices. Duty‑of‑care guidance from the regulator expects continuous monitoring of play, individual risk assessments, and proportionate interventions. EU AML directives and the new AML package add harmonised expectations for risk‑based programmes, customer due diligence, and sanctions screening, while Swedish proposals such as “Spellagens tillämpningsområde, Ds 2025:23” and related sanctions reforms aim to extend obligations to block unlicensed and sanctioned play, including through automated screening and VPN/proxy detection. NIS2 and GDPR together push operators to strengthen cybersecurity and to justify the extensive data processing used for both AML and player protection. In this stack, reasonable measures now cover behavioural analytics, sanctions and access controls, and data‑governance choices that can be defended under EU privacy law.

Ontario and selected US states
In Ontario and many US states, territorial and hosting rules are unusually important. Licences often require in‑state servers, state‑specific technical standards for logging, backups, and disaster recovery, and regular reporting to local regulators. AML and responsible‑gambling frameworks expect programme‑based controls, including ongoing monitoring, defined safer‑gambling tools, and clear escalation procedures for suspicious or harmful activity. Marketing rules and league or regulator‑driven standards add further constraints on how bonuses, odds, and sponsorships can be promoted. For operators and infrastructure providers, reasonable measures here include not only KYC and monitoring but also demonstrating that systems are physically and logically aligned with each state or province’s rulebook—exactly the fragmented reality highlighted in the interview with Rickard Vikström.

Overhead view of a business meeting with digital icons and the word ‘COMPLIANCE’ overlaid, symbolising coordinated risk and regulatory management.

Reasonable measures as a team sport: modern compliance brings legal, risk, technology and operations around the same table.

Where this leaves “reasonable measures”

Across these examples, the direction of travel is consistent even if the local layers differ. What counted as reasonable a decade ago—static policies, basic checks, and largely reactive interventions—would now be viewed as inadequate in most regulated markets.

Today, regulators and industry standards converge on a definition that involves risk‑based KYC, sanctions screening, continuous monitoring of behaviour and transactions, structured safer‑gambling tools, detailed logging and retention, and governance that can withstand scrutiny across multiple jurisdictions.

At the same time, privacy, security, and territorial rules place real limits on how far that expansion can go, ensuring that “reasonable measures” remains a standard to be interpreted rather than a fixed checklist.

Further reading & Key Sources

High stakes: gambling reform for the digital age (UK Government, 2023) – https://www.gov.uk/government/publications/high-stakes-gambling-reform-for-the-digital-age

Navigating the EU AML package: implications for online gambling service providers – https://www.twobirds.com/en/insights/2025/germany/navigating-the-eu-aml-package-implications-for-online-gambling-service-provider

EGBA pan‑European anti‑money‑laundering guidelines for online gambling (2025) – https://www.egba.eu

To be written — The Operator Response: Adaptations, Costs, and Market Outcomes

EXPLORE ARTICLE SERIES

Redefining Reasonable: Regulatory Transformation in Global iGaming

Article 2 of 4 in a series exploring ”European gambling regualtion in focus”:  Laws, Requirements, and the New Meaning of “Reasonable Measures”

A global overview of how 2020–2025 reforms tightened—but did not fully settle—the meaning of “reasonable measures” for licensed operators and their suppliers, and how layered rules on gambling, AML, sanctions, privacy, and marketing now define the real room for manoeuvre.

Article series

REGULATION

Redefining Reasonable: Regulatory Transformation in Global iGaming – a four part series

Article one: THE CATALYST YEARS (2020 – 2025) WHAT DROVE THE REGULATORY SHIFT?

ARTICLE TWO: Laws, Requirements, and the New Meaning of “Reasonable Measures” 

ARTICLE THREE: TO BE WRITTEN: THE OPERATOR RESPONSE—ADAPTION; COSTS AND MARKET OUTCOME

ARTICLE FOUR: TO BE WRITTEN: TECHNOLOGY, RESEARCH, AND THE NEXT “REASONABLE  MEASURES”