Our Expert in Cyprus
No results available
Every game provider agreements Cyprus negotiation in 2026 is shaped by an increasingly assertive regulatory environment: the National Betting Authority (NBA) has issued new directives on self-exclusion integration and suspicious-transaction reporting, the Prevention and Suppression of Money Laundering Law continues to tighten obligations on obliged entities, and ongoing discussions around online-casino legalisation are raising the compliance bar for every supplier and licensee in the chain. For in-house counsel, procurement leads, and outside advisers drafting or reviewing a software licensing agreement Cyprus-side, the practical challenge is no longer whether to include compliance clauses, it is how to draft them precisely enough that both parties know who does what, when, and at whose cost.
This guide maps the key statutes and regulator directives directly onto contract language, clause by clause, so that your next agreement leaves no compliance gap unaddressed.
Before you begin drafting, complete three immediate actions:
Betting and gambling in Cyprus are principally regulated under the Betting Law L.37(I)/2019, which established the NBA as the single supervisory body for licensed betting operations. The NBA holds powers to grant, suspend, and revoke licences, impose administrative fines, and issue binding directives to licensees. Separately, casino-resort operations fall under the Cyprus Gaming and Casino Supervision Commission (CGC), which administers its own AML/CTF legal and regulatory framework.
For game supplier contract clauses, the critical point is that while providers are not themselves required to hold an NBA licence, their software may only be offered to the public through a licensed operator. That commercial dependency means the provider’s contract must mirror every material obligation the operator bears, because if the operator’s licence is suspended or revoked for a compliance failure traceable to the provider’s software, both parties suffer.
Two NBA directives are especially consequential for game provider agreements Cyprus-side:
Licence classes under the Betting Law distinguish between Class A (betting shops and retail) and Class B (online betting). Operators should consult the NBA’s published fee schedule and licensing guidance for current costs, as these are revised periodically. For contract-drafting purposes, every agreement should specify the operator’s licence class and number, and include a covenant requiring the operator to notify the supplier immediately of any change in licence status.
Game provider agreements Cyprus practitioners draft typically involve at least two, and sometimes four, distinct parties. Understanding who bears which regulatory burden is essential before allocating contractual risk. The following decision table summarises the most common obligations and the corresponding recommended clause for each entity type.
| Entity | Common Regulatory/Operational Obligations | Recommended Contract Clause |
|---|---|---|
| Licensee / Operator (Class A or B) | Holds NBA licence; performs KYC and age verification; files STRs with MOKAS; integrates with NSEP; pays betting tax | Compliance covenant; STR-filing warranty; NSEP integration SLA; tax gross-up clause |
| Game Provider / Supplier | Supplies certified game software; provides transaction logs on demand; supports geoblocking; warrants IP ownership | IP warranty and indemnity; data-access clause; geoblocking SLA; audit cooperation clause |
| Aggregator / White-label Partner | Integrates third-party game feeds; ensures sub-supplier AML/DPA compliance; notifies operator of suspicious integrations | Sub-processor warranty; cascading audit rights; indemnity for third-party non-compliance |
Red flag, negotiation tip: Operators sometimes attempt to push all AML and KYC obligations gaming suppliers should share onto the provider. Resist this unless the provider directly interfaces with the end player. Instead, clearly delineate the operator’s front-line KYC duties from the supplier’s obligation to supply compliant software and data feeds.
The licence grant is the commercial heart of every software licensing agreement Cyprus parties will negotiate. It should specify the scope (e.g., RNG slots, live-dealer feeds, sports-data API), the territory, and whether the grant is exclusive or non-exclusive. A well-drafted clause might read:
“The Provider grants the Operator a non-exclusive, non-transferable licence to access and deploy the Licensed Games solely within the Territory, solely to end-users who have been verified by the Operator in accordance with applicable KYC requirements, and solely in connection with the Operator’s Class B licence number [●] issued by the NBA.”
Territory and geoblocking are intertwined. The clause should list permitted jurisdictions explicitly and require the operator to implement, and the provider to technically support, IP-based geoblocking for all territories not expressly included. This dovetails with NBA compliance Cyprus expectations, which require licensees to block access from restricted jurisdictions. If the provider’s platform feeds games to multiple operators, cross-territorial conflicts must be addressed through exclusivity carve-outs or revenue-share adjustments.
Fee structures in the iGaming sector typically combine a fixed monthly platform fee with a percentage of gross gaming revenue (GGR). The contract should define GGR precisely, deducting player winnings, bonuses, and chargebacks, and set payment milestones (e.g., NET 30 from the end of each calendar month).
On the tax side, operators should confirm current betting-tax rates with the Cyprus Ministry of Finance, as rates are subject to legislative revision. The agreement must include a tax gross-up clause so that if withholding tax is imposed on payments to a non-resident supplier, the operator increases the payment so the supplier receives the agreed net amount. A concise formulation:
“All sums payable under this Agreement are exclusive of withholding tax. If the Operator is required by law to deduct or withhold any tax, the gross amount payable shall be increased so that, after deduction, the Provider receives the full amount that would have been payable absent the deduction.”
Service-level agreements (SLAs) for uptime, latency, and failover should be annexed, with agreed remedies (service credits, not termination) for SLA breaches below a defined materiality threshold. Escrow of source code is advisable where the provider’s insolvency could leave the operator unable to run games mid-licence period.
AML clauses gambling contracts require are among the most heavily negotiated provisions in any game provider agreement. The Prevention and Suppression of Money Laundering and Terrorist Financing Law designates betting-licence holders as obliged entities, meaning they must perform customer due diligence (CDD), enhanced due diligence (EDD) for high-risk players, ongoing transaction monitoring, and suspicious-transaction reporting (STR) to MOKAS via the goAML platform.
While the front-line KYC obligation rests with the operator, the provider’s software must be capable of enforcing onboarding checks. A sample KYC clause:
“The Provider warrants that the Licensed Games incorporate configurable player-verification gates such that no end-user may place a wager or deposit funds unless the Operator’s KYC system has returned a ‘verified’ status. The Provider shall maintain API compatibility with the Operator’s identity-verification service provider and shall implement updates within [●] business days of written notice.”
Red flag: Negotiate who bears the cost of API updates when the operator changes its KYC vendor. Providers should cap the number of mandatory integrations per year or charge change-request fees after a defined threshold.
The operator must file STRs with MOKAS immediately upon forming a suspicion. The provider’s contractual role is to supply real-time transaction data, player-activity logs, and anomaly alerts. Draft language should include:
Where the operator accepts cryptocurrency deposits, the agreement must address virtual-asset (VA) screening against EU and UN sanctions lists. The provider should warrant that its wallet-integration module supports chain-analysis tools and that transaction records include wallet addresses for audit purposes. For a broader perspective on regulatory expectations in crypto-enabled gaming, see our guide on crypto casino licences.
| Record Type | Statutory Retention Period | Recommended Contract Clause |
|---|---|---|
| CDD/KYC documentation | 5 years after end of business relationship (AML Law) | Operator retains; provider supports data export in machine-readable format |
| Transaction records (deposits, wagers, withdrawals) | 5 years after the transaction (AML Law) | Provider stores transaction logs and makes available on 48-hour notice |
| STR records and internal investigation files | 5 years after the STR filing date (AML Law) | Operator retains; provider to preserve related system logs for equivalent period |
| NBA quarterly compliance reports | 7 years (NBA Directive 15/2024) | Operator retains; provider delivers data feeds enabling report generation |
Red flag: Ensure that retention clauses survive termination. Providers often want to delete data upon contract expiry to reduce storage costs, but the operator’s statutory obligations require the data to remain accessible. Address this tension with an escrow or read-only archive arrangement.
NBA compliance Cyprus obligations go beyond AML. Several NBA directives impose operational requirements that must be hardwired into game provider agreements:
Red flag: Geoblocking liability is a frequent negotiation flashpoint. Providers typically resist guaranteeing 100 % accuracy because VPN usage is outside their control. The practical compromise is a “commercially reasonable efforts” standard coupled with a shared obligation to monitor and update geolocation databases.
Under the EU General Data Protection Regulation, enforced in Cyprus by the Commissioner for the Protection of Personal Data, every game provider agreement must address personal-data processing. Gaming telemetry, behavioural analytics, and transaction records all constitute personal data where they relate to identified or identifiable players.
The data processing agreement gaming suppliers and operators should annex to the main contract must cover at minimum:
A Data Protection Impact Assessment (DPIA) is required where the processing is likely to result in a high risk to individuals, profiling player behaviour, automated decision-making affecting betting limits, or large-scale processing of behavioural data all qualify. The contract should require the operator to conduct a DPIA before go-live and oblige the provider to supply all technical information needed for the assessment.
Robust audit rights underpin every compliance clause in the agreement. Without the ability to verify compliance, warranties are unenforceable. A practical audit framework should address:
An operational readiness checklist, covering system-access credentials, designated compliance contacts, and pre-approved secure data-transfer protocols, should be completed before the agreement’s effective date, as early indications suggest that the NBA is placing increasing emphasis on proactive compliance infrastructure during licence reviews.
IP warranties game providers must give typically cover ownership of the licensed software, non-infringement of third-party intellectual property, and disclosure of any open-source components. A sample warranty:
“The Provider warrants that it is the sole owner of, or holds valid licences to, all intellectual property embodied in the Licensed Games and that the Operator’s use in accordance with this Agreement will not infringe the rights of any third party.”
The indemnity clause should cover losses arising from IP infringement claims, regulatory fines attributable to the provider’s software defects or non-compliance (noting that indemnities for regulatory fines may be limited in enforceability under Cyprus law), and data breaches originating in the provider’s systems. Limitation of liability caps are standard, typically set at 12 months’ fees or a fixed monetary cap, but should carve out fraud, wilful misconduct, IP indemnity obligations, and data-breach liabilities.
Insurance requirements should include professional indemnity, cyber-liability, and (where applicable) product-liability coverage, with minimum coverage amounts specified and evidence of renewal provided annually. Operators launching in multiple jurisdictions will find additional context in our overview of the top 10 jurisdictions to launch a licensed gambling business.
Termination rights must address both commercial and regulatory triggers. Either party should be entitled to terminate immediately if the other suffers a licence revocation, enters insolvency, or commits a material breach of AML, data-protection, or NBA-compliance obligations that is not remedied within a defined cure period (typically 14–30 days for remediable breaches).
The distinction between suspension and termination matters. A contract should permit suspension of game access pending a regulatory investigation, without triggering full termination, so that the commercial relationship can resume if the investigation concludes favourably. Player-data continuity is critical: the agreement must require the provider to migrate all player-account data and transaction histories to the operator (or a successor provider) in a standard, machine-readable format within an agreed transition period.
Source-code escrow release triggers should include provider insolvency, material breach of SLA not cured within 60 days, and licence revocation. Governing law should be the laws of the Republic of Cyprus, and industry observers expect that arbitration seated in Nicosia, administered under ICC or LCIA rules, offers the most practical forum for cross-border provider–operator disputes. Those exploring how to start an online casino should factor these exit and continuity provisions into their budgeting from day one.
| Entity Type | Reporting Obligation (Timeline) | Typical Contract Clause Pointer |
|---|---|---|
| Licensee / Operator (Class A/B) | Quarterly statements to NBA; immediate STRs to MOKAS for suspicious transactions; record retention for the statutory period | Require operator to provide quarterly compliance reports; covenant to file STRs; retention and audit clause surviving termination |
| Game Provider / Supplier | Provide logs and transaction data to operator/NBA on request; cooperate with investigations; support geoblocking | Data-access clause with 48-hour SLA; cooperation and technical-assistance clause; geoblocking implementation and quarterly audit clause |
| Aggregator / White-label Partner | Notify operator of suspicious third-party integrations; ensure sub-processors comply with DPA and AML requirements | Sub-processor warranty and cascading audit clause; indemnity for third-party non-compliance; immediate notification covenant |
Drafting game provider agreements Cyprus-compliant in 2026 demands a clause-level understanding of NBA directives, AML obligations, GDPR requirements, and commercial realities. Use the clause templates and comparison tables above as a starting checklist, confirm each obligation against the current NBA and MOKAS guidance, and engage specialist counsel to tailor the language to your specific product and licence class. A well-drafted agreement is not merely a commercial document, it is the operational backbone of regulatory compliance for both provider and operator.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Zena Spanou at Markos P. Spanos & Co LLC, a member of the Global Law Experts network.
posted 5 minutes ago
posted 14 minutes ago
posted 40 minutes ago
posted 44 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message