The future of online gambling regulation in the EU: From fragmentation to functional governance

Abstract

Experience across diverse sectors shows that top-down legal harmonization in the European Union (“EU”) is often necessary, but it is neither sufficient for, nor the sole driver of meaningful convergence. This article explores the possibility of a viable path towards harmonization for the EU’s online gambling industry which may lie in incremental, bottom-up functional convergence. By examining successes and failures of EU harmonization efforts in other regulated industries, the authors argue for a gambling law harmonization model based on mutual collaboration, technical standards, third-party conformity assessments, and market-facing clarity.

Introduction

The European experience across regulated industries shows that regulatory harmonization rarely succeeds through top-down political acts alone. Although single, top-down legislation has recently gained more popularity as a harmonization tool, the maximum harmonization often develops through incremental convergence that combines law, implementing instruments, technical standards, and most importantly, coordinated supervision and enforcement.    This would suggest that legal harmonization is necessary but insufficient. Convergence only becomes effective when supervisory expectations, enforcement practices, and operational standards and interpretations are aligned. Otherwise, even highly harmonized legal frameworks can magnify significant differences in national regulatory culture.

This realization is equally critical for the online gambling industry, as full legal harmonization from “above” is neither politically nor legally realistic, given the wide national discretion over moral policy, public health, fiscal interests, and enforcement efforts. Simultaneously, continuous reliance on national rules in a borderless online market has already proven ineffective. The most viable path for the gambling industry is therefore incremental, functional convergence. This involves building a shared technical and operational understanding before even attempting to build a shared political one.

Analysis

The mechanics of harmonization

The current state of harmonization in financial services, data protection and product safety may illustrate how this process works and, most importantly, where it fails.

What is harmonization?

At its core, regulatory harmonization in the EU is the process of aligning different sets of national laws, standards, and practices into a coherent, compatible framework. Its primary goal is to eliminate “regulatory friction”, the extra costs and legal risks that arise when businesses must follow 27 different sets of rules for a single product, which is particularly difficult in a borderless digital landscape.

Financial Services: the evolution of the Single Rulebook

Financial services illustrate both failures and successes of harmonization. Early EU frameworks relied on minimum harmonization via EU Directives to be implemented in the laws of Member States, mutual recognition, and home-state supervision. The financial crisis exposed the limits of this model, as fragmentation became a systemic risk to the internal market.

The EU’s response was the creation of the Single Rulebook[1], described by the European Banking Authority (“EBA”) as “a single set of harmonized prudential rules” applicable across the EU. The shift toward instruments such as MiFID II, EMIR, and CRR/CRD IV reflects a move toward maximum harmonization. Crucially, this normative convergence was paired with supervisory harmonization through EU agencies, most notably the European Securities and Markets Authority (“ESMA”), which was granted direct supervisory powers over certain cross-border market infrastructures. Also, the Single Supervisory Mechanism (“SSM”) transferred supervision of major banks to the European Central Bank (“ECB”)[2], explicitly to ensure that EU rules were applied consistently.

What made harmonization work more efficiently in this case was partial centralization of supervision and the development of binding technical standards (RTS/ITS) that constrained national discretion. They translated high-level legislative obligations into defined, granular and directly applicable supervisory requirements. These instruments narrowed interpretative variance and limited supervisory discretion[3].

The problem of fragmented supervision

On the other hand, many financial institutions provide a clear example of the limits of the current harmonisation model. For example, payment service providers (“PSPs”). Although these sit under a fully harmonised legal framework of the Revised Payment Services Directive (“PSD2”), they remain almost entirely nationally supervised. This has produced differences in supervisory culture, risk tolerance, and enforcement style that directly affect their cross-border operation.

In theory, under the PSD2, a PSP authorised in one EU Member State can passport services across the EU under the same standards. In the EU, passporting is the legal mechanism that allows regulated businesses authorized in one Member State to provide its services across the entire EU/EEA without needing additional local licenses. In practice, however, supervision and enforcement are carried out by national competent authorities, and those authorities have materially different approaches to interpretation, risk, compliance expectations, and intervention thresholds.

Supervisory divergence is also visible in the intensity of enforcement. According to EBA supervisory convergence reports,[4] some authorities rely heavily on thematic reviews and early remediation, while others intervene only after breaches become material, leading to inconsistent outcomes for similar conduct. For entities operating across multiple EU Member States, this means that identical business models can face markedly different compliance burdens. The EU Commission itself has acknowledged these problems in the context of the upcoming revision of the Payment Services Directive (“PSD3”) and Payment Services Regulation (“PSR”) reforms[5]. The EU Commission explicitly argues that further harmonisation and a move toward more directly applicable rules are needed because divergent national supervision under PSD2 has undermined consistency and consumer protection.[6]

Data protection: the limits of full harmonization

The General Data Protection Regulation (“GDPR”) represents the EU’s most ambitious legal harmonization so far. As a regulation, the GDPR applies directly across all EU Member States. However, the GDPR highlights the limits of legal convergence, since, in practice, differences in procedural law, regulatory capacity, and enforcement priorities have led to inconsistent outcomes, sometimes even within one country (e.g. Germany[7]).

Thus, the GDPR vividly illustrates the limits of (almost) full legal harmonization when enforcement remains nationally fragmented. Although the European Data Protection Board (“EDPB”) can issue opinions, guidelines and even sometimes binding decisions, the investigative capacity, procedural speed, and sanctioning practice continue to vary widely.

The success of technical standards

In our opinion, one of the most effective models of European harmonization has been achieved through harmonisation by technical standards. Sectors such as product safety and automotive regulation demonstrate that alignment succeeds where lawmakers agree on essential objectives, while detailed, operational requirements are delegated to shared technical standards. These standards translate abstract legal principles into testable and auditable compliance criteria, allowing enforcement to converge even where national authorities retain formal competence. Harmonization works here because regulators assess risk and compliance against the same technical benchmarks.

For example, the General Product Safety Regulation, applicable since December 2024, sets uniform safety obligations across the EU and strengthens market surveillance, including online marketplaces. What makes this regime durable is the reliance on harmonised European standards developed by bodies such as CEN and CENELEC. Compliance with these standards provides a presumption of conformity with the EU law.

In other regulated sectors across Europe, harmonised legal requirements are often operationalized through independent conformity-assessment organisations that perform technical testing, auditing, and certification against shared standards. A contemporary example is the development of standards and assessment frameworks for complex artificial intelligence systems. The German standards body DIN and its partners have emphasised that even highly complex systems can be made testable and certifiable by building common technical criteria and structured conformity assessment processes. These can be supported by accredited organisations such as TÜV AI.Lab that specialise in evaluating compliance with the criteria. This work reflects a broader approach to standardisation in areas like AI, where standards (such as DIN SPECs) define measurable requirements and accredited auditors produce reproducible evidence that a system is compliant, even where inherent complexity would otherwise impede objective evaluation.

The horizontal harmonization framework applicable to online gambling

Horizontal harmonization is best understood as the set of cross-sector EU regimes that bind their addressees regardless of whether the respective sectoral law is harmonized. In other words, even if EU Member States retain competence, for example, over gambling policy (licensing models, product permissions, channelisation choices), gambling operators are already subject to shared EU-level rules that partially standardize the compliance infrastructure around online gambling: how player data is processed, how payment flows are monitored and controlled, how consumer communications are assessed, how online distribution and advertising are governed, and how algorithmic systems used in risk scoring and harm detection must be governed.

Thus, online gambling is already subject to meaningful horizontal harmonisation, for example, in personal data governance (the GDPR),  financial integrity controls (the AMLD), consumer-facing conduct (the UCPD), online distribution and content governance (the DSA), emerging algorithmic governance (the AI Act), and many others, as this list is illustrative and not exhaustive. All these instruments form part of the existing harmonized legal framework upon which gambling-specific technical standards (e.g., common reporting formats or harm markers) can be layered to drive functional convergence without requiring politically unrealistic full harmonization of national gambling laws.

A roadmap for harmonization in the online gambling industry

Harmonization in the online gambling industry cannot follow the same path as financial services or product safety, because gambling laws touch national moral policy, public health priorities, and fiscal interests. The EU legal framework and case law make clear that EU Member States retain wide discretion in defining their gambling policy objectives. As a result, full legal harmonization of gambling rules at the EU level is neither politically nor legally realistic. However, experience from other sectors shows that harmonisation does not necessarily need to occur at the level of policy choice to be effective.

Thus, in our opinion, the most viable route to harmonization in gambling is incremental, functional convergence that begins with technical and procedural harmonisation, supervisory convergence and market-facing clarity.

One of the recent examples of the combination of technical and (partly) procedural harmonization in the EU can be found in the Digital Operational Resilience Act (DORA) mentioned above. A prominent example is DORA’s ICT incident reporting framework for financial services. Before DORA, they were already subject to incident reporting obligation; however, “major incidents” were defined differently across the EU. Financial institutions had to use different reporting templates, required different timelines and data fields. DORA addressed this by harmonizing technically and procedurally how incidents are identified, classified and reported. DORA itself sets the obligation in principle; decisive harmonization occurs through binding Regulatory Technical and Implementing Standards (RTS/ITS).

Although in case of online gambling this process cannot take place top-down as described above, regulators can agree on certain common technical definitions and standards without having to agree on whether gambling should be more or less restrictive. Common harm markers, standardized player-risk indicators, shared intervention categories, interoperable reporting formats and the like would significantly reduce fragmentation in how risk is identified and assessed and how that of the operation itself is structured. Once regulators and operators are working with the same underlying concepts, divergence would narrow automatically, even if national implementation, risk thresholds and gambling policy may still differ.

A concrete example within the gambling context already exists in Germany, namely TÜV certification scheme “Geprüfte Qualität in Spielhallen” (“Tested quality in gaming arcades”), under which specialized, accredited audit organisations assess compliance with defined standards on player protection, youth protection, and operational safeguards. These audits are conducted against structured criteria, follow standardized procedures, and result in comparable, verifiable certification outcomes that regulators can rely on without conducting the technical assessment themselves.

One further step towards convergence would be procedural harmonisation. One of the most recent examples of procedural harmonization from “above” is the reform of cross-border GDPR enforcement procedures. Although the GDPR achieved full legal harmonisation, enforcement of cross-border cases relied on national procedures, coordinated through the “one-stop-shop” mechanism (Art. 56 ed seq. GDPR). Cross-border cases took years to resolve and procedural differences between the EU Member States blocked consistent enforcement. The EDPB and the EU Commission acknowledged that harmonized substantive law was not enough, if procedures remained national and divergent. The EU’s proposal of July 2023 lays down common rules on the admissibility of complaints, harmonized rights of defence for investigated entities, mandatory cooperation timelines, standardized procedures for information exchange and objections, and clearer rules for dispute resolution between the data protection authorities. Adopted on 21 October 2025 and entered into force on 1 January 2026, it becomes applicable on 2 April 2027.

One of the clearest operational problems for online gambling entities operating in the EU is the lack of consistent processes across borders. However, voluntary harmonization of processes should not require a central EU gambling authority. Regulators could potentially agree on procedures for cooperation and mutual recognition at the administrative level: common triggers for information exchange, aligned investigation timelines, or structured escalation mechanisms. While full legal harmonization without aligned procedures may still result in inconsistent application, harmonizing certain procedures first can deliver practical convergence even where substantive rules would remain national.

Further harmonisation can be advanced through supervisory convergence. Gambling regulators could pursue a similar convergence pathway by jointly developing supervisory handbooks, sharing case studies, and agreeing on baseline expectations for licensing reviews, audits, enforcement and sanctions. This would not eliminate national discretion, but it may well reduce unpredictability for cross-border operators[8].

Finally, the harmonization must address market-facing clarity. Other sectors have learned that regulation, and most importantly, channelling, fails if consumers cannot recognise regulated products. In online gambling, the inability of players to distinguish legal from illegal offers undermines both consumer protection and enforcement credibility. Harmonization here means shared principles for consumer-facing signals: consistent use of licensing identifiers, clear disclosures, and restrictions on how unlicensed or hybrid products present themselves.

For example, Ontario’s online gaming framework explicitly treats consumer recognition as a regulatory objective. When Ontario opened its regulated online gambling market in April 2022, regulators acknowledged that enforcement alone would not displace the unregulated market unless players could clearly recognise which offers were legal and regulated. To address this, Ontario implemented a market-facing clarity model built around three elements: visible regulatory signals, clear public communication, and restrictions on how unregulated or non-authorised operators may present themselves.

In 2023, Ontario’s authorities published research[9] showing that more than 86 percent of Ontario’s online gamblers knowingly play on regulated sites. The study explicitly links this outcome to visibility, recognisability, and trust in the regulated market. The Ontario Attorney General described this as a “made-in-Ontario” model that displaces the unregulated market by making regulation visible to consumers. In contrast, in many European gambling regimes, players struggle to distinguish legal from illegal offers, especially online and in hybrid formats.

Ontario’s experience mirrors what the EU has learned in product safety (CE-marking) and food regulation (mandatory labelling): consumer-facing signals are essential for enforcement credibility. Where consumers can easily identify regulated and legal products, regulators gain leverage; where they cannot, unregulated markets may still flourish.

This is particularly important for hybrid gaming formats, which often fall outside traditional gambling definitions thus remaining license-free but which function similarly from the user’s perspective. Harmonisation would require a functional approach to such hybrid and/or borderline products. Prediction markets[10], sweepstakes, social casinos, gamified investment tools, and media-based prize formats cannot be regulated effectively through rigid category boundaries. Other sectors have moved toward activity-based regulation, focusing on risk and consumer impact rather than formal labels. Gambling regulators will need to adopt the same logic if they want convergence in EU online gambling markets, especially where users need to distinguish license-free models from illegal gambling offers.

Conclusion: Outlook for the Gambling Industry

EU standardization bodies and gambling authorities seem to have already started down the suggested path. Technical harmonization through common standards is already taking root in the online gambling industry. CEN (European Committee for Standardization) has approved standards such as EN 17531 for reporting in support of supervision of online gambling. This standard creates a shared data and reporting architecture, meaning regulators can compare apples to apples across jurisdictions.

Over time, de facto harmonization of technical standards is likely to generate product-level convergence across the EU. In practical terms, gambling products themselves may increasingly be structured and presented in a uniform manner across jurisdictions, to a large extent without national deviations in product design, algorithmic logic, or product text. That said, divergent national framework conditions will continue their influence even with existing common standards (for example, Germany’s player limit rules), and technical harmonization alone will not entirely eliminate those structural differences.

Further, the European Gaming and Betting Association (“EGBA”) has been actively involved in developing harm markers: standardized indicators of risky or harmful behaviour. While this is not the EU law, the initiative has gained traction among national regulators as a reference model for safer gambling frameworks. These markers aim to define common behavioural risk signals (e.g., escalating deposits, rapid session frequency), enable standardised intervention logic, support automated monitoring systems. National standardization bodies have already voted in favour of EGBA-proposed initiative. Once widely adopted, these markers will function as a de facto pan-European technical standard for detecting risk. According to EGBA, “The finalisation process is expected to be complete by early 2026. Once published, the standard will be available for voluntary adoption by gambling regulators and operators across Europe.” While these are not formal EU standards, the protocols being developed establish de facto templates for how complaints, notices, and enforcement actions should be formatted and transmitted. However, such cooperation is still fragmented and decentralized[11].

Nevertheless, regulators in multiple EU Member States are already participating in bilateral and multilateral data exchanges on and actions against illegal operators. On 12 November 2025, regulators from Germany, Austria, France, Great Britain, Italy, Portugal, and Spain signed the cooperation arrangement structured into three pillars of collaboration: exchanging information on unlicensed operators, coordinated action urging removal of illegal gambling advertising, and sharing methods for identifying, investigating, and sanctioning operators.

All these initiatives pave the way for gradual convergence in the European online gambling market, that may significantly reduce fragmentation in near future. This bottom-up convergence would definitely benefit from active EU participation, particularly in supporting technical standards, coordinating enforcement practices, and ensuring interoperability across national frameworks.

Dr. Wulf Hambach is a member of IMGL

[1] https://www.eba.europa.eu/single-rulebook

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32013R1024

[3] Insight: the recent adoption of the Digital Operational Resilience Act (“DORA”) represents further evolution of this harmonization logic. By mandating common templates, timelines, testing frameworks, and reporting taxonomies, the underlying binding technical standards (RTS/ITS), and by introducing direct EU-level oversight of certain critical third-party ICT providers, DORA addresses a structural weakness of earlier harmonization efforts: the reliance on national supervisors to apply open-textured risk-management duties. In doing so, DORA illustrates a more mature form of harmonization that operates simultaneously at normative, technical, procedural and supervisory levels.

[4] https://www.eba.europa.eu/activities/supervisory-convergence

[5] PSD3 is the EU’s ongoing attempt to fix certain limits of harmonization; however, without creating a central supervisor. Proposed by the EU Commission in June 2023, at the time of writing, the package is still moving through the EU legislative process. The key change is that many operational and conduct rules where national divergence has been considered greatest under the PSD2 will move into a regulation, reducing scope for national interpretation. Thus, PSD3 is explicitly designed to address inconsistent supervision of PSPs, uneven enforcement of AML and safeguarding rules as well as weaknesses in the passporting regime. While authorisation and day-to-day supervision will remain national, the package strengthens supervisory convergence tools and further clarifies host-authority powers. The PSD3 is expected to be adopted any time soon, with application likely from 2026 – 2027. It will narrow, but not eliminate, some differences in the supervisory culture across the Member States.

[6] https://www.europarl.europa.eu/RegData/etudes/BRIE/2025/775891/EPRS_BRI%282025%29775891_EN.pdf

[7] Due to a federative organisation of Germany, each of the German States currently has its own data protection supervisory authority, meaning there are 17 data protection supervisors in Germany (16 local and 1 federal) for the private sector that have divergent approaches even within one country.

[8] Germany illustrates how procedural harmonisation can be achieved within a decentralised legal framework. In the data protection field, the Data Protection Conference (Datenschutzkonferenz, “DSK”) serves as a coordination body through which federal and state data protection authorities agree on common interpretations, procedural approaches, and enforcement priorities. A similar logic underpins the creation of the Joint Gambling Authority of the German Federal States (Gemeinsame Glücksspielbehörde der Länder, GGL), which consolidates operational enforcement and provides a single procedural interface for licensing, supervision, and enforcement, despite gambling law remaining rooted in local legislative competence.

[9] https://www.agco.ca/en/news/over-86-ontarios-online-gamblers-play-regulated-sites-study

[10] Prediction markets sit at the intersection of gambling, financial instruments, and digital platforms, making them a stress test for Europe’s regulatory architecture. Across European single market, prediction markets are treated inconsistently. In some jurisdictions they are classified as gambling, in others they may resemble financial derivatives or fall into grey, unregulated areas. In summary, there is no dedicated framework at the EU level. Cross-border by design, they raise familiar concerns: consumer protection, market integrity, AML, and data governance. Horizontal EU rules (AML, GDPR, DSA) already apply, but there is lack of consumer-facing markers clearly distinguishing license-free, admissible offers from illegal gambling.

[11] Example: A  Consumer Protection Cooperation (CPC) Network under EU consumer law (https://commission.europa.eu/live-work-travel-eu/consumer-rights-and-complaints/enforcement-consumer-protection/consumer-protection-cooperation-network_en) provides a good example of a centralized cooperation. National authorities exchange standardized requests, alerts, and enforcement actions through a shared system when dealing with cross-border infringements. This network demonstrates how templates for complaints, evidence, and enforcement requests become harmonised through practice. Several gambling-related cases involving misleading promotions and illegal offers have been handled through this framework, reinforcing common enforcement formats.