A Malta gambling license is an authorisation issued under the Malta Gaming Authority (MGA) framework for B2C gaming services and B2B critical gaming supply. It remains one of the strongest European regulatory options for serious iGaming operators, but it is not a shortcut jurisdiction: the MGA reviews ownership, source of funds, governance, AML/CFT controls, technical architecture, player protection and post-launch compliance before a business can operate under a Malta gaming license.
A Malta gambling license is an authorisation issued under the Malta Gaming Authority (MGA) framework for B2C gaming services and B2B critical gaming supply. It remains one of the strongest European regulatory options for serious iGaming operators, but it is not a shortcut jurisdiction: the MGA reviews ownership, source of funds, governance, AML/CFT controls, technical architecture, player protection and post-launch compliance before a business can operate under a Malta gaming license.
An MGA license is not an automatic passport into all EU or EEA gambling markets. National rules still apply, and many target markets require a separate local analysis or local licence. Licensing outcomes, costs, tax exposure, substance expectations and timelines depend on the business model, target countries, group structure, outsourcing map, payment stack and the personal profile of owners and key function holders.
License structure, approval bottlenecks and post-license control obligations in one practical overview.
Company setup, ownership mapping, business plan, AML framework, vendor map, financial model and technical architecture are assembled before filing.
The regulator tests fit and proper status, business viability, source of wealth and source of funds, governance and compliance design. Requests for information are common.
A Malta online casino license becomes operational only after technical readiness, system review, control remediation and launch conditions are satisfied.
A Malta gambling license is governed by a layered framework, not by a single statute. The legal core is the Gaming Act, Chapter 583 of the Laws of Malta, but the real compliance burden sits across secondary regulations, MGA directives, AML/CFT rules, company law, tax administration and data protection requirements.
The practical institutional map matters. The MGA authorises and supervises gaming activity, the Financial Intelligence Analysis Unit (FIAU) drives AML/CFT supervision in scope, the Malta Business Registry (MBR) handles company registration and beneficial ownership filings, and the Commissioner for Revenue (CFR) is relevant for tax registration and ongoing tax compliance. This separation is where many competitor pages become inaccurate: a Malta gaming license is not only a gaming-law exercise.
The post-2018 framework also changed how businesses should think about licence classification. Search terms such as malta casino license, casino license malta or malta online gaming license are commercially common, but the legal analysis turns on whether the applicant is offering a player-facing gaming service or supplying critical gaming infrastructure under the MGA regime.
| Law / Regime | Scope | Applies To | Why It Matters |
|---|---|---|---|
| Gaming Act, Chapter 583 of the Laws of Malta | Primary statute establishing the MGA framework, authorisation model, enforcement powers and core concepts for gaming services in Malta. | All applicants and licensees seeking a Malta gaming license or operating under MGA supervision. | This is the legal foundation for any mga license analysis and the starting point for scope, authorisation and enforcement. |
| Gaming Authorisations Regulations | Operational rules for applications, approvals, licence conditions, key persons, ongoing supervision and authorisation mechanics. | B2C operators and B2B critical gaming suppliers. | This is where the practical licensing pathway sits, including approval logic and ongoing obligations. |
| Gaming Licence Fees Regulations | Application fees, annual licence fees and fee architecture relevant to licensed activity. | Applicants and licensees under the MGA framework. | This is the primary legal source for official fee scheduling behind searches such as malta gambling license cost and malta gaming license fees. |
| Gaming Tax Regulations | Rules for gaming tax treatment within the gaming framework. | Relevant gaming operators depending on activity and revenue nexus. | This must be separated from corporate income tax and from compliance contribution to avoid the common “only 5% tax” error. |
| Gaming Player Protection Regulations | Consumer-facing safeguards including player information, account handling, safer gambling measures and complaint handling. | Player-facing B2C licensees. | A Malta online casino license carries direct consumer-protection obligations, not just AML and technical duties. |
| Gaming Commercial Communications Regulations | Advertising and promotional conduct standards for gaming communications. | Operators marketing gaming services. | Marketing strategy, affiliate oversight and bonus messaging can create compliance exposure even after licensing. |
| Gaming Compliance and Enforcement Regulations | Supervisory powers, inspections, sanctions and enforcement tools available to the MGA. | All regulated entities under MGA oversight. | This defines the enforcement reality behind reporting failures, control breaches and non-notified material changes. |
| Prevention of Money Laundering Act and PMLFTR | Malta AML/CFT framework, including customer due diligence, risk-based controls, reporting and governance expectations. | Subject persons in scope, including relevant gaming businesses. | AML supervision is not handled by the MGA alone; the FIAU framework is central to a viable gambling license Malta application. |
| GDPR and Malta data protection framework | Personal data processing, lawful basis, retention, security and data subject rights. | Operators and suppliers processing player, employee or vendor data. | Gaming businesses combine identity verification, payments, behavioural monitoring and fraud analytics, making privacy governance operationally material. |
The correct way to classify a malta gambling license is to start with the operating model. A player-facing operator usually needs a B2C Gaming Service License. A software studio, platform provider or infrastructure supplier usually falls under the Critical Gaming Supply License model. The older market language around Type 1–4 is still widely used in commercial discussions because it helps explain activity categories such as casino, fixed-odds betting, peer-to-peer gaming and controlled skill games.
For search intent, this means that terms such as malta online casino license, online casino malta license and malta casino license usually map to a B2C authorisation analysis, while game studios, PAM providers, sportsbook platform vendors and RNG suppliers are more often in B2B territory. The licensing fit should be tested against who contracts with the player, who controls the wallet, who determines game logic, and who carries reportable operational risk.
| Business Model | License Type | Scope | Notes |
|---|---|---|---|
| Online casino operator | B2C Gaming Service License / commonly associated with Type 1 activities | Player-facing games of chance determined by random outcome, including casino-style products where the operator contracts directly with the player. | This is the common route for a Malta online casino license. Player funds, KYC, AML, complaints handling and safer gambling controls sit directly with the operator. |
| Sportsbook or fixed-odds betting operator | B2C Gaming Service License / commonly associated with Type 2 activities | Betting on events with fixed odds or similar operator-managed betting models. | Trading controls, event risk management, fraud monitoring and payment controls become central. Banking narratives often focus on source of funds and market exposure. |
| Poker network or betting exchange-style model | B2C Gaming Service License / commonly associated with Type 3 activities | Peer-to-peer or commission-based gaming where players compete against each other and the operator takes a rake or commission. | The operator’s revenue model differs from a house-banked casino. This affects GGR logic, reporting and the design of player account segregation. |
| Fantasy sports or controlled skill game model | B2C Gaming Service License / commonly associated with Type 4 activities | Controlled skill games and certain competition formats where legal classification must be checked carefully against current MGA guidance. | Type 4 is often misunderstood. Product design, prize logic and the role of chance versus skill should be documented with precision. |
| Game studio or RNG supplier | B2B Critical Gaming Supply License | Supply of critical gaming components such as game logic, RNG, remote game servers or other critical software used by licensed operators. | B2B does not mean light-touch. The MGA still expects ownership transparency, technical evidence, outsourcing controls and operational integrity. |
| Platform, PAM or white-label infrastructure provider | B2B Critical Gaming Supply License, sometimes combined with additional structuring analysis | Back-office systems, player account management, wallet logic, reporting engines, bonus tools and other critical infrastructure. | The key question is whether the provider is only supplying infrastructure or is also stepping into player-facing regulated functions. |
A viable gambling license Malta application must prove four things at once: the owners are suitable, the money is clean and documented, the business model is commercially and legally coherent, and the operating stack can be supervised in practice. The MGA does not assess only incorporation paperwork. It tests the real operating perimeter of the business.
For most applicants, the highest-friction areas are not the public-facing items such as company registration or share capital. The real scrutiny usually sits in fit and proper assessment, UBO transparency, source of wealth/source of funds, outsourcing governance, AML ownership, and the credibility of the financial model. A weak explanation of payment flows or an unclear group structure can slow a file as much as missing technical evidence.
A frequent misconception is that any EEA company can simply apply for a Malta online gaming license without deeper substance analysis. In practice, supervisory reach, governance control, outsourcing structure, banking readiness and the location of critical functions all matter.
| Requirement | Details | Evidence |
|---|---|---|
| Corporate vehicle and legal structure | The applicant must have a legal entity structure that the MGA can supervise effectively. Group charts, shareholder layers, intra-group service arrangements and control rights should be disclosed clearly. | Certificate of incorporation, constitutional documents, group structure chart, shareholder registers, beneficial ownership records and board resolutions. |
| Ultimate beneficial owners and controllers | The MGA examines who ultimately owns, funds and controls the business. Nominee-heavy or opaque chains create immediate friction. | UBO declarations, passports, proof of address, CVs, police conduct evidence where requested, source-of-wealth narrative and documentary source-of-funds trail. |
| Fit and proper status | Directors, UBOs, senior management and relevant key persons are assessed for integrity, competence and regulatory history. Prior sanctions, unexplained wealth or inconsistent disclosures can derail the application. | Personal questionnaires, professional references, litigation and regulatory disclosure statements, CVs and supporting due diligence documents. |
| Financial viability and capitalisation | The business must show adequate capital, operating runway and a realistic commercial plan. The MGA will test whether projected player acquisition, payment costs, fraud losses and compliance staffing assumptions are credible. | Financial projections, funding plan, bank evidence, investor documents, capital confirmation and a narrative explaining burn rate and contingency reserve. |
| Capital thresholds | Market practice commonly references minimum issued and paid-up capital of €100,000 for Type 1 and Type 2 and €40,000 for Type 3 and Type 4 gaming services, subject to confirmation against the current MGA position at filing date. | Corporate records, capital subscription documents, bank evidence and accounting confirmation where applicable. |
| Key function holders and governance | The MGA expects accountable individuals for core functions. In practice, governance design should identify who owns compliance, MLRO responsibilities, technology, finance and operational control. | Organisation chart, role descriptions, service agreements, CVs, reporting lines and governance policies. |
| AML/CFT and KYC framework | A Malta gaming license requires a risk-based AML/CFT design aligned with the business model, customer profile, payment methods and target markets. Generic template policies are a common weakness. | Business risk assessment, AML manual, customer risk methodology, sanctions/PEP screening process, transaction monitoring rules and suspicious reporting procedures. |
| Player protection and conduct controls | B2C operators must show how they will manage self-exclusion, account restrictions, bonus transparency, complaints and vulnerable-player indicators. | Responsible gaming policy, customer terms, complaints workflow, player fund handling policy and front-end disclosure samples. |
| Technical readiness and auditability | The platform must support traceability, secure access, log retention, incident escalation and independent testing where relevant. The regulator will look beyond a marketing deck and into actual system control design. | System architecture, data flow diagrams, hosting details, security policies, game certificates where applicable, penetration testing or audit materials and change-management procedures. |
AML/CFT for an mga license is a shared-regulator issue. The MGA supervises gaming conduct and operational compliance, but the FIAU is central to the AML/CFT framework. That is why a Malta application should be built as a combined gaming-compliance and financial-crime-control project.
B2C operators carry the heaviest burden because they handle player onboarding, transaction monitoring, source-of-funds escalation, safer gambling interventions and complaints. A technically strong casino platform with weak AML ownership is still a weak application. Equally, a strong AML manual without workable product controls around self-exclusion, deposit limits, cooling-off and player communication is incomplete.
| Workflow Step | Control | Owner |
|---|---|---|
| Customer onboarding | Risk-based KYC, sanctions/PEP screening, age and identity verification, jurisdiction screening and initial risk scoring. | Compliance / Operations |
| Funding and gameplay monitoring | Transaction monitoring, behavioural alerts, source-of-funds triggers, fraud flags and unusual activity review. | MLRO / Fraud / Payments |
| Safer gambling intervention | Deposit limit tools, cooling-off, self-exclusion handling, affordability or risk review where applicable and documented player contact process. | Responsible Gaming / Customer Operations |
| Escalation and reporting | Internal suspicious activity escalation, case management, decision log and external reporting where required. | MLRO |
| Periodic review | CDD refresh, high-risk account reassessment, policy testing, staff training and control tuning. | Compliance |
A malta online casino license is not only a legal approval; it is also a systems-control exercise. The MGA expects a technical environment that can be audited, monitored and explained. The strongest applications describe the full stack: front end, wallet, game integration layer, back office, reporting engine, hosting, access control, incident response and outsourced dependencies.
Not every control is expressed as a single mandatory global standard, but certain expectations are consistently relevant in practice: secure transmission, access segregation, immutable or reliable audit logs, change management, vulnerability management, incident escalation, business continuity and independent testing where game fairness or critical system integrity is in scope. Applicants that show evidence discipline early usually move faster through system review.
A recurring technical failure point is inconsistency between the business plan, the product demo and the real vendor stack. If the wallet, KYC API, game server, CRM and reporting engine are controlled by different parties, the application should show exactly who is responsible for each regulated control.
| Area | Standard | Evidence |
|---|---|---|
| System architecture | Clear mapping of player journey, wallet logic, game flow, reporting outputs, third-party integrations and outsourced components. | Architecture diagrams, data flow maps, vendor register and system responsibility matrix. |
| Access control | Role-based access, privileged access control, segregation of duties and documented joiner/mover/leaver process. | Access policy, role matrix, admin logs and approval workflow. |
| Transport and storage security | Encryption in transit and at rest where applicable; market practice commonly expects modern protocols such as TLS 1.2/1.3. | Security policy, configuration evidence, hosting controls and key-management description. |
| Logging and audit trail | Event logging for account actions, wallet movements, administrative changes, game events and security incidents. | Log retention policy, sample audit trail outputs, SIEM or monitoring description and incident tickets. |
| Game fairness and RNG integrity | Independent testing or certification where RNG-driven products or game logic require validation. | Testing lab certificates, game math documentation, release controls and versioning records. |
| Information security governance | An ISMS-style control environment is strong practice; many applicants align with frameworks such as ISO/IEC 27001 where proportionate. | Security governance documents, risk register, policy suite, training records and audit reports where available. |
| Business continuity and incident response | Documented backup, recovery, failover and incident escalation procedures. Resilience evidence is especially important where wallet, PAM or payment routing is outsourced. | BCP/DRP documents, recovery test records, incident response plan and provider SLAs. |
| Payment security | Payment flow clarity, reconciliation controls and card-data scoping analysis; PCI DSS relevance depends on actual processing scope. | Payment architecture, processor agreements, reconciliation procedure and compliance attestations where applicable. |
The practical route to a Malta gambling license runs through preparation, filing, regulatory review, remediation and technical readiness. The process is not linear in every case because the MGA may issue requests for information, ask for clearer source-of-funds evidence, challenge the outsourcing model or require technical remediation before go-live.
Define the target business model, licence scope, target markets, ownership map, funding route, governance model and vendor perimeter. This is where the applicant decides whether it is pursuing a B2C gaming service model, a B2B critical gaming supply model or a more complex structure involving multiple regulated roles.
Build the application pack: corporate documents, personal due diligence, business plan, financial forecasts, AML/CFT framework, player protection materials, technical architecture and outsourcing register. The strongest filings answer regulator questions before they are asked.
The MGA assesses ownership, controllers, source of wealth, source of funds, competence, integrity and governance. This stage often generates detailed requests for clarification, especially where wealth accumulation, historic transactions or cross-border structures are not explained cleanly.
The regulator tests the viability of the business model, the realism of projections, the payment setup, outsourcing controls, player fund logic and the overall compliance design. A weak banking narrative or unrealistic CAC assumptions can undermine a file even if the legal documents are complete.
Before a Malta online gaming license becomes operational, the applicant must show that the platform and control environment match the approved model. This is where architecture, logs, RNG evidence, release management, incident handling and reporting outputs are tested in practice.
After approval conditions are met, the business moves into live operation under ongoing reporting, audit, notification and control obligations. Licence issuance is the start of supervision, not the end of the project.
The file should read like one operating model, not like disconnected policy appendices.
| Document | Purpose | Owner |
|---|---|---|
| Group structure chart | Shows ownership, control, service flows and regulatory perimeter. | Legal / Founders |
| Business plan and financial model | Explains product, markets, revenue logic, burn rate, funding and operational assumptions. | Founders / Finance |
| AML/CFT documentation pack | Demonstrates risk-based KYC, monitoring, escalation and MLRO governance. | Compliance |
| Technical architecture pack | Maps systems, vendors, security controls, logs, hosting and critical integrations. | CTO / Product / Vendors |
| Source-of-funds and source-of-wealth evidence | Supports fit-and-proper review and funding legitimacy. | UBOs / Legal |
| Player protection and terms pack | Shows how the operator handles player funds, complaints, disclosures and safer gambling. | Compliance / Operations |
Pre-filing checklist
These items define perimeter clarity, application readiness, and first-line control credibility.
Sequence these after the core perimeter, governance, and launch-control decisions are stable.
The correct way to analyse malta gambling license cost or malta online gambling license cost is to separate official MGA fees from real first-year operating cost. Official fees are only one layer. A serious budget also includes incorporation, legal work, compliance build-out, technical audit, security controls, accounting, staffing, banking, payment integration and contingency capital.
The common market shortcut “Malta is a 5% tax jurisdiction” is legally unsafe. A Malta gaming business may face the standard corporate tax framework, possible shareholder refund mechanics depending on structure, separate gaming tax rules where applicable, and separate MGA-linked charges such as compliance contribution. These are different concepts with different bases.
For budgeting, founders should use a simple first-year formula: Year 1 total = application fee + annual licence fee + compliance contribution + incorporation + legal/compliance setup + technical audit/testing + staffing + office/substance + banking/payment setup + contingency reserve. That formula is more decision-useful than any headline fee table.
| Cost Bucket | Low Estimate | High Estimate | What Drives Cost |
|---|---|---|---|
| Official MGA application fee | €5,000 | €5,000 | Commonly cited official filing fee for an MGA application. Verify the current schedule at filing date under the applicable fee regulations. |
| Annual licence fee | Varies by licence type | Varies by licence type | Market materials often cite €25,000 for certain B2C categories and €10,000 for certain Type 4 references, but current classification and fee schedules must be checked against the live MGA framework. |
| Compliance contribution | Revenue-dependent | Revenue-dependent | Usually linked to activity type and revenue bands. The core concept is that charges are not only fixed; they can scale with business performance. |
| Incorporation and corporate setup | €3,000 | €15,000+ | Depends on group complexity, shareholder layers, constitutional drafting and beneficial ownership work. |
| Legal and licensing advisory | €15,000 | €75,000+ | Wide range driven by whether the file is lean B2B, standard B2C or a multi-entity structure with remediation rounds. |
| AML/compliance framework build | €5,000 | €30,000+ | Includes risk assessment, AML manual, responsible gaming controls, governance documents and implementation support. |
| Technical audit, testing and security readiness | €10,000 | €60,000+ | Driven by platform maturity, game testing scope, architecture complexity, penetration testing and remediation needs. |
| Staffing and key control functions | €30,000 | €200,000+ | MLRO, compliance ownership, finance, technical operations and governance support can materially change the real malta online casino license budget. |
| Banking and payment setup | €5,000 | €50,000+ | Includes account opening work, processor onboarding, reserves, legal reviews and integration costs. High-risk gaming onboarding can be slow and document-heavy. |
| Office, substance and local operations | €5,000 | €80,000+ | Actual substance expectations depend on structure, governance and operating model. This cost is often underestimated by first-time founders. |
No. An MGA license does not create automatic passporting across all EU or EEA gambling markets. Gambling remains heavily national in regulatory treatment, and many countries require a local licence, local approval or a separate legal analysis before any player acquisition or offering is allowed.
What the MGA does provide is a strong regulated base. It can improve credibility with banks, payment processors, B2B counterparties, investors and due diligence teams. It can also support market-entry conversations because the operator is already coming from a recognised supervisory framework. But that is not the same thing as legal permission to target every country in Europe.
The practical test is not “Do we have a Malta casino license?” but “For each target country, do we have a lawful route to offer, market, process payments and contract with players?”
| Market | What License Allows | Limits / Caveats |
|---|---|---|
| Malta-regulated operations under approved scope | The MGA authorisation allows the licensee to operate within the approved licence perimeter and under the conditions attached to the authorisation. | The operator must still comply with ongoing MGA obligations, AML/CFT rules, player protection duties and any market-specific restrictions relevant to where players are targeted. |
| EU/EEA markets with national licensing regimes | An MGA license can strengthen credibility and due diligence positioning when approaching regulated opportunities. | It does not replace local licensing, local approvals, local tax analysis or local advertising rules in nationally regulated markets. |
| Banking and payment counterparties | A Malta gaming license often helps explain regulatory status, governance quality and control maturity to financial institutions. | Banks and PSPs still run their own risk reviews covering target markets, source of funds, fraud exposure, chargeback profile and sanctions risk. |
| B2B commercial partnerships | An MGA-regulated profile can make supplier onboarding and contract negotiations easier because the compliance baseline is familiar. | Counterparties may still require separate certifications, local legal opinions, technical audits or market-specific restrictions in the contract. |
The structuring choice is strategic. An own malta gambling license gives maximum regulatory control and long-term enterprise value, but it also creates the full compliance burden. A white-label or hosted model can reduce time-to-market in some cases, yet it may limit control over player data, payment routing, product roadmap and market access strategy.
The key legal question is who actually performs the regulated activity. If the applicant wants to own the player relationship, wallet, compliance logic and market-entry roadmap, an own licence is usually the cleaner long-term model. If the business is still validating product-market fit, a hosted structure may be commercially useful, but it should be analysed carefully so that responsibilities are not blurred.
| Option | Advantages | Limitations | Best For |
|---|---|---|---|
| Own MGA licence | Direct regulatory status, stronger enterprise value, cleaner control over player relationship, better long-term flexibility for banking, payments and jurisdiction strategy. | Higher setup cost, slower launch, heavier AML/CFT and player protection burden, more governance and audit overhead. | Well-funded operators, serious B2B suppliers and businesses targeting long-term regulated growth. |
| White-label or hosted arrangement | Potentially faster commercial launch, lower initial infrastructure burden and access to an existing operational stack. | Less control over wallet, data, compliance decisions, market expansion and product changes; contractual dependency can become a strategic bottleneck. | Early-stage teams testing distribution or product assumptions before committing to a full own-licence build. |
Most MGA delays are caused by evidence quality, not by missing buzzwords. The regulator is used to polished decks. What slows files is when the documents do not reconcile: the ownership story does not match the funding trail, the business plan does not match the technical stack, or the AML framework does not fit the actual payment model.
The fastest way to weaken a gambling license Malta application is to treat it as a form-filling exercise. The MGA reviews the business as an operating system. If one part of that system is not credible, the whole file becomes slower and riskier.
Legal risk: Fit-and-proper concerns, enhanced scrutiny, possible refusal or prolonged requests for information.
Mitigation: Disclose the full ownership chain, control rights, funding path and beneficial ownership evidence from the start.
Legal risk: AML/CFT and integrity concerns affecting both the applicant and key funding parties.
Mitigation: Prepare a document-backed wealth narrative with transaction trail, sale documents, dividend records, tax evidence or other primary support.
Legal risk: Regulator may conclude that AML governance is cosmetic and not operationally implemented.
Mitigation: Build a risk assessment tied to target markets, payment methods, player profile, fraud vectors and escalation ownership.
Legal risk: Go-live delay, remediation costs and possible inability to activate the licence operationally.
Mitigation: Document architecture, logs, access controls, vendor dependencies and testing evidence before technical review begins.
Legal risk: Business viability concerns and doubt about the applicant’s ability to maintain compliance after launch.
Mitigation: Use conservative assumptions, show downside cases and include a contingency reserve of at least a realistic operational buffer.
Legal risk: Operational viability concerns, especially where deposits, withdrawals and AML monitoring depend on third parties not yet engaged.
Mitigation: Show processor pipeline, onboarding status, reserve assumptions, reconciliation ownership and fallback arrangements.
Legal risk: Unclear accountability for critical regulated functions and weak supervisory visibility.
Mitigation: Create an outsourcing register with service scope, oversight owner, SLA, audit rights and contingency plan for each critical provider.
These are the questions founders, legal teams and B2B suppliers ask most often when evaluating an mga license, a malta gaming license or a malta online casino license in 2026.
A Malta gambling license is an authorisation issued under the Malta Gaming Authority (MGA) framework for either player-facing gaming services or critical gaming supply. In legal terms, the correct analysis is usually whether the business needs a B2C Gaming Service License or a B2B Critical Gaming Supply License.
A realistic end-to-end timeline is often 6–12+ months. Preparation, fit-and-proper review, source-of-funds clarification, technical readiness and remediation rounds all affect timing. A universal 4-month estimate is usually too optimistic for 2026.
The cost has two layers: official MGA fees and real first-year operating cost. The application fee is commonly cited as €5,000, but the total first-year budget can be many times higher once legal, compliance, technical audit, staffing, banking, payment setup and substance costs are included.
A B2C licence is for businesses that contract with players and operate gaming services directly, such as an online casino or sportsbook. A B2B Critical Gaming Supply License is for suppliers of critical gaming software or infrastructure such as game studios, PAM providers, platform vendors or RNG suppliers.
No. An MGA license does not automatically passport gambling services across all EU or EEA markets. It provides a strong regulated base and can help with credibility, but each target market still requires its own legal and regulatory analysis.
The safe answer is that structure and substance must support effective MGA supervision. It is not enough to rely on a simplistic statement that any EEA company will work. The right setup depends on the business model, governance, outsourcing map, key persons and operational control.
Tax analysis should separate the standard corporate tax framework, possible shareholder refund mechanics depending on structure, gaming tax where applicable and compliance contribution under the gaming regime. “Only 5% tax” is an oversimplification and should not be used for decision-making.
The business moves into ongoing supervision. That includes reporting, possible audits, player fund controls, AML/CFT operation, incident notification, approval or notification of material changes, and continued oversight of outsourcing, key persons and technical systems.
It can be suitable for well-funded, compliance-ready startups targeting regulated growth. It is usually a poor fit for low-runway founders seeking the cheapest or fastest launch, especially where banking, AML ownership and technical audit readiness are not yet in place.
Buying a company does not remove MGA scrutiny. The regulator still reviews ownership, controllers, source of funds, governance, licence scope, technical readiness and compliance design. In practice, a weak acquisition structure can create more questions rather than fewer.
Before starting an MGA license project, confirm six points: (1) the target markets justify a Tier-1 regulatory route; (2) ownership and funding can withstand fit-and-proper review; (3) the business has enough runway for a real first-year budget, not just filing fees; (4) AML, player protection and key function ownership are already mapped; (5) the technical stack is audit-ready and outsourcing is documented; and (6) the team understands that a Malta gambling license is not an EU passport. If those points are not yet in place, the right move is usually to fix readiness first and file second.
