Cross-Operator Self-Exclusion: Comparing GAMSTOP, ROFUS, Spelpaus, and OASIS Across Jurisdictions

Why Cross-Operator Self-Exclusion Architecture Matters

A self-exclusion system that is siloed within a single operator’s platform provides only partial protection. A player who excludes from one licensee can migrate to a competitor within minutes. Cross-operator registers solve this by creating a central, authoritative exclusion state that all licensed operators are required to query. The legal and technical mechanisms behind that requirement vary considerably across jurisdictions, and compliance teams operating in multiple markets cannot treat these schemes as interchangeable.

Four of the most mature mandatory cross-operator schemes currently in operation are GAMSTOP in the United Kingdom, Spelpaus in Sweden, ROFUS in Denmark, and OASIS in Germany. Each scheme sits within a distinct statutory and regulatory framework, carries different technical integration obligations, and allocates liability between licensees and their B2B technology providers in ways that compliance officers must understand precisely.

GAMSTOP and the UKGC Framework

For remote gambling licensees regulated by the United Kingdom Gambling Commission, participation in a national multi-operator self-exclusion scheme is a social responsibility code requirement, not guidance. UKGC Licence Conditions and Codes of Practice (LCCP) 3.5.5 sets out the obligation in direct terms. The relevant code provision requires that remote licensees offering facilities for gambling to consumers in Great Britain participate in a scheme that enables customers to self-exclude from all remote gambling regulated by the Commission.

Under LCCP 3.5.5, remote licensees must offer customers who self-exclude the ability to do so in a way that is effective across all remote gambling facilities offered to them by that licensee, and must participate in a multi-operator self-exclusion scheme enabling customers to self-exclude from all, or a class of, remote gambling provided under a licence granted by the Commission.

GAMSTOP is the scheme designated to fulfil this requirement. Enrolment by a customer in GAMSTOP triggers an obligation on every remote licensee integrated with the scheme to refuse access to gambling services for the duration of the exclusion, to suppress all direct marketing, and to close active accounts. LCCP 3.5.5 also specifies that a licensee must as soon as practicable take all reasonable steps to prevent marketing material being sent to a self-excluded customer, and must remove or flag the customer in marketing databases within two days of receiving notification.

For non-remote premises, LCCP 3.5.6 imposes a separate mandatory obligation to participate in available multi-operator self-exclusion schemes within a licensee’s locality, while LCCP 3.5.7 frames multi-operator scheme development as an ordinary code provision, meaning it reflects expected good practice rather than a strict legal requirement in that specific context. The distinction between the social responsibility code (mandatory) and the ordinary code (expected but rebuttable) is material when the Commission assesses compliance.

In practice, GAMSTOP covers only Great Britain licensed operators. A customer who holds an account with an offshore-licensed operator not subject to LCCP cannot register that operator through GAMSTOP, a gap that the Commission has acknowledged and continues to address through its approach to licensing unlicensed platforms that accept British customers.

Spelpaus: Sweden’s Mandatory National Register and the 2026 Technical Overhaul

Sweden’s Spelpaus register was introduced following the country’s gambling regulatory reform under the Gambling Act (2018:1138). Chapter 14 of the Gambling Act establishes that licence holders must give players the possibility of excluding themselves from gambling permanently or for a limited period, and that a permanent exclusion may not be revoked for twelve months. All licensees holding a Swedish remote gambling licence are required to integrate with Spelpaus and must block access for any player who has registered an exclusion on the national register.

Players registered with Spelpaus may select exclusion periods of one, three, or six months, twelve months, or an open-ended permanent exclusion. The register was updated in 2023 to improve player-facing guidance and to allow extensions of exclusion periods.

The most significant technical development is Spelinspektionen’s SIFS 2026:3, decided on 23 April 2026 and published on 29 April 2026, which enters into force on 1 August 2026. This instrument replaces and tightens the technical standards governing how licensees connect to Spelpaus. The new framework introduces several operationally critical requirements.

Each licence holder is issued a unique Actor ID and API Key, and these credentials are mandatory for every query to the register. The regulation establishes two distinct API pathways: a login API, which must be used when a player registers a new account or attempts to log in, and a marketing API, which must be used before any direct marketing communication is sent to a player. A self-exclusion check is treated as complete only when it definitively resolves whether the individual is excluded.

The regulations explicitly state that responsibility remains with the licence holder even if technical checks are delegated to third-party service providers. Licence holders must ensure that their assigned Actor ID and API Key are used at all times, emphasising that outsourcing does not absolve operators from compliance duties.

This allocation of liability has direct B2B implications. A platform provider or aggregator that performs Spelpaus checks on behalf of a front-end licensee does not absorb the compliance risk. The licensee’s own credentials must be presented in every API call, and the licensee remains the accountable party in any regulatory examination. Compliance teams working with third-party technology stacks should verify contractually and technically that their Actor ID and API Key are being passed correctly through each integration layer.

One practical gap in SIFS 2026:3 noted by practitioners is that, while the overarching technical framework is defined, the regulation does not yet include detailed API specifications, response format documentation, or service performance standards. Operators planning integration work ahead of the August 2026 deadline should engage Spelinspektionen directly for supplementary technical documentation.

ROFUS: Denmark’s Register and the SCP.02.03 Certification Standard

Denmark operates ROFUS (Register Over Frivilligt Udelukkede Spillere) as its national self-exclusion register, administered by Spillemyndigheden. Participation and integration are mandatory for all online casino licensees. The technical requirements for self-exclusion functionality are codified in Spillemyndigheden’s Certification Programme Inspection Standard SCP.02.03, Inspection Standards for Online Casino, Version 2.0.

Under SCP.02.03, all self-exclusion functions within the gambling system, whether relating to temporary or permanent self-exclusion at the operator level, must inform customers of the possibility of registering in ROFUS and must provide a direct link to the register. This creates a layered obligation: operators must operate their own within-platform exclusion tools, but those tools must actively route players toward the national scheme.

SCP.02.03 further specifies that if a customer excludes permanently at the operator level, the gambling account must be closed and a new account for the same customer may not be created for at least twelve months. Upon receipt of a permanent exclusion request, the gambling system must immediately inform the customer that all released funds will be paid out, and the licensee must initiate the payout procedure, which may require contacting the customer to confirm the method of payment.

The customer-facing user interface must also include prominent information about ROFUS and a direct link to the register accessible from all pages, alongside responsible gambling information, links to addiction self-tests, and information about Danish treatment centres. SCP.02.03 is explicit that this information must not be given in inaccurate language or mixed with other content in a way that could cause the player to overlook it.

In terms of scope, ROFUS covers all licensed Danish operators. A player registering in ROFUS is excluded from all operators licensed by Spillemyndigheden, making it a true cross-operator register. The operator-level self-exclusion tools mandated by SCP.02.03 function as a complement to ROFUS rather than a substitute for it.

OASIS: Germany’s Federal Self-Exclusion Architecture

Germany’s OASIS (Overgreifendes Angebots-, Sperr- und Informationssystem) is the national cross-operator exclusion register established under the Interstate Treaty on Gambling 2021 (Glücksspielstaatsvertrag 2021, GlüStV 2021). All licensed online casino and sports betting operators in Germany are required to connect to OASIS and to check player exclusion status before permitting access to gambling services. The scheme covers both self-exclusions registered by players and exclusions imposed by operators or authorities.

The GlüStV 2021 also introduced a registration and stake-limit system administered via LUGAS, a parallel system that enforces cross-operator staking limits. The interaction between OASIS and LUGAS creates a layered player protection architecture that is more complex than the single-register models used in the UK, Sweden, and Denmark. Operators must query both systems at the point of login.

Primary-source technical specifications for OASIS integration are published by the joint regulatory authority (Gemeinsame Glücksspielbehörde der Länder, GGL), which assumed responsibility for federal online gambling oversight in 2023. Compliance teams should consult the GGL’s published technical connection documentation and, given the federal-state structure of German gambling law, obtain qualified legal advice on the precise application of GlüStV 2021 provisions to their licence category.

Mandatory versus Optional: The Structural Distinction

All four schemes described above impose mandatory participation on licensees within their respective jurisdictions. This is a critical point of divergence from older, voluntary cross-referral models that still exist in some markets. In the UK, Sweden, Denmark, and Germany, operating a licensed remote gambling service without connecting to the national exclusion register is not a compliance gap to be managed but a licence condition breach subject to regulatory action.

The Sweden Gambling Act (2018:1138) and SIFS 2026:3 leave no discretion on integration. Spillemyndigheden’s SCP.02.03 treats ROFUS connectivity as a certification requirement, meaning a gambling system that does not implement it cannot receive or maintain certification. The UKGC’s social responsibility code under LCCP 3.5.5 carries equivalent weight: non-participation in GAMSTOP by a remote licensee is a direct breach of the LCCP.

The contrast with markets where cross-operator sharing remains voluntary or patchwork is operationally significant for B2B suppliers serving multiple jurisdictions. A responsible gambling module designed for a market with a voluntary scheme cannot simply be reconfigured for GAMSTOP, Spelpaus, ROFUS, or OASIS connectivity without jurisdiction-specific API integration, credential management, and audit logging.

B2B Implications Across All Four Schemes

Platform providers, white-label operators, and aggregators must treat cross-operator self-exclusion integration as a primary contractual and technical obligation, not an operator-side concern. In each of the four frameworks reviewed, the legal duty rests with the licensee, but the technical execution often sits with B2B suppliers. The regulatory consequence of a missed exclusion check falls on the licensee regardless of where the technical failure occurred.

SIFS 2026:3 makes this explicit for Sweden, and the principle is consistent with the UKGC’s approach to third-party reliance under the LCCP. MGA Player Protection Directive (Directive 2 of 2018) similarly requires B2C licensees to retain complete responsible gaming profiles and manage self-exclusion records regardless of how their back-end systems are structured. While the MGA does not operate a single mandatory cross-operator scheme in the same centralised format as the four jurisdictions discussed here, the directive establishes that B2C licensees bear the compliance obligation for every element of player protection.

For B2B suppliers, the practical implications include: ensuring that API integration layers pass the correct licensee credentials rather than pooled or shared identifiers; maintaining timestamped audit logs of every exclusion check at the point of registration, login, and marketing dispatch; and building contractual indemnity structures that reflect the reality that the licensee, not the supplier, faces regulatory sanction.

Data Protection Considerations

Each national exclusion register processes sensitive personal data, and cross-operator sharing of that data must comply with applicable data protection law. In the EU, this means the General Data Protection Regulation (GDPR) applies to ROFUS, Spelpaus, and OASIS. Processing of exclusion data is generally justified under GDPR Article 6(1)(c) (compliance with a legal obligation) and, where health-related data is involved, under Article 9(2)(g) (substantial public interest). However, the specific legal basis, data retention obligations, and cross-border transfer restrictions depend on each member state’s national implementing legislation and any sector-specific derogations.

For UK operators, the UK GDPR and Data Protection Act 2018 apply to GAMSTOP data flows. Operators processing exclusion data must maintain appropriate records of processing activities, implement data minimisation controls, and ensure that exclusion status is suppressed from marketing databases within the two-day window required by LCCP 3.5.5. Any outsourced processing of exclusion data to a B2B supplier requires a compliant data processing agreement.

Compliance teams should note that GDPR Recital 116 acknowledges the heightened risk to data subjects when personal data moves across borders, a relevant consideration where a multi-jurisdiction operator centrally processes exclusion checks for several licensed entities. The Swedish Spelpaus credential model under SIFS 2026:3, which assigns jurisdiction-specific Actor IDs, is partly designed to address this by ensuring that data queries are attributed to the correct national licensee rather than a centralised processing entity.

Key Resources

UKGC Licence Conditions and Codes of Practice (LCCP), Social Responsibility Code Provision 3.5.5: The primary source for GAMSTOP participation obligations. Available at gamblingcommission.gov.uk.

Spelinspektionen SIFS 2026:3, Spelinspektionens föreskrifter om det nationella självavstängningsregistret: The updated Swedish technical standard for Spelpaus integration, effective 1 August 2026. Published 29 April 2026 by Spelinspektionen.

Sweden Gambling Act (2018:1138), Chapter 14: The statutory basis for Spelpaus and the licence holder’s exclusion obligations, including the panic button requirement for online casino, bingo, and computer-simulated machines.

Spillemyndigheden Certification Programme Inspection Standards for Online Casino, SCP.02.03 Version 2.0: The certification standard governing ROFUS integration and operator-level self-exclusion functionality in Denmark.

MGA Player Protection Directive (Directive 2 of 2018), Version 3, January 2023: The MGA’s binding requirements on B2C licensees for self-exclusion record retention and responsible gaming profiles.

Gemeinsame Glücksspielbehörde der Länder (GGL), Interstate Treaty on Gambling 2021 (GlüStV 2021): The statutory and regulatory basis for OASIS and LUGAS in Germany. Available at gluecksspiel-aufsicht.de. Operators should obtain qualified German legal advice on jurisdiction-specific application.