Platform Provider Market Entry: Jurisdictional Sequencing for B2B iGaming Suppliers

A platform provider entering regulated iGaming markets for the first time faces a decision that is financial, technical, and strategic all at once: which jurisdictions to licence in, in which order, and how to avoid duplicating certification expenditure across markets that accept largely the same technical artefacts. The answer differs depending on whether your primary client base is Tier 1 European operators, emerging-market skins, or North American iGaming licensees. This article maps the B2B licensing landscape across the Malta Gaming Authority, the UK Gambling Commission, Ontario’s Alcohol and Gaming Commission of Ontario, the Alberta Gaming, Liquor and Cannabis Commission, and the Curaçao Gaming Authority, and sets out the sequencing logic a compliance team should follow before committing capital to any application, with detailed comparison available in the B2B supplier licensing matrix across eight key markets.

Why B2B Suppliers Need Their Own Licences: The Jurisdictional Logic

The common mistake made by first-time market entrants is assuming that a platform provider can operate under its operator clients’ licences. That assumption fails in every Tier 1 market. The MGA’s Gaming Authorisations and Compliance Directive (Directive 3 of 2018, V2 October 2021) is explicit: licensees obtaining a critical gaming supply from an outsourcing service provider must ensure that such provider is in possession of a B2B licence or a recognition notice to provide that critical gaming supply. The MGA defines a “game provider” as a B2B licensee that provides a critical gaming supply. A platform provider supplying a player account management system, a random number generator infrastructure, or a core betting engine falls squarely within that definition. Operating without the licence while your client holds a B2C authorisation exposes both parties to regulatory action.

The same logic applies in Ontario. The AGCO’s Registrar’s Standards for Internet Gaming, last updated 29 May 2025, state directly that operators are responsible for the actions of third parties with whom they contract, and must require those third parties to conduct themselves as if they were bound by the same laws, regulations, and standards. More precisely, Standard 1.18 requires that operators and gaming-related suppliers shall only contract with reputable suppliers, and Standard 1.22 prohibits contracting with any supplier that would require registration under the Gaming Control Act 1992 without holding that registration. The consequence is that an operator’s AGCO registration is at risk if their platform provider is not itself registered. Suppliers should not rely on their operator clients to absorb that risk.

Which Jurisdiction First? The MGA as the Logical Anchor

For a platform provider whose primary clients are European-facing operators, the MGA B2B licence is the correct starting point. Malta’s licensing framework under the Gaming Act (Chapter 583 of the Laws of Malta) is the most widely recognised B2B credential in the European market. It supports the widest operator client base, and the MGA’s Recognition Notice pathway reduces the friction of subsequent market entry in jurisdictions that treat MGA authorisation as equivalent to a local licence.

Under Directive 3 of 2018, a B2B licensee must hold a licence to provide critical gaming supplies, including platform software and back-end systems. The distinction between a “game provider” providing front-end critical gaming supply and a “provider of back-end services” is operationally significant. Under the relevant dual-capacity provision of the Directive, a licensee may need to be authorised in both capacities if it wishes to provide both. Platform providers whose product stack covers both the games layer and the platform infrastructure layer must structure their application accordingly.

B2B licensees under the MGA framework carry a lighter monthly reporting burden than B2C licensees, but the obligations are not trivial. Article 40 of Directive 3 requires licensees to file returns under the Gaming Licence Fees Regulations and Gaming Tax Regulations. The Compliance Audit Manual (v1, MGA/G/001, August 2018) confirms that B2B auditors are required to check that the licensee’s websites display a statement of MGA licensing, the licence number, and clearly label which products and services carry MGA authorisation. This three-part disclosure obligation applies at the product level, not merely at the corporate level.

Under the MGA Compliance Audit Manual (v1, MGA/G/001), auditors are required to verify that a B2B licensee clearly labels products, services, and material supply licensed or authorised by the Authority, not simply that the company holds a licence.

The MGA enforcement register confirms that B2B licence cancellations do occur. The cancellation of MGA/B2B/848/2020 issued to GameSoft Limited, effective 20 November 2024, was carried out under Gaming Compliance and Enforcement Regulations S.L. 583.06, regulations 9(1)(c), (d), and (l). Compliance officers at platform providers should treat the enforcement register as a live document, not a historical artefact. For a fuller treatment of MGA B2B obligations versus B2C, the MGA licensing guide provides the B2C counterpart context.

The UKGC Gambling Software Licence: A Standalone Obligation

The MGA B2B licence does not substitute for a UK Gambling Commission gambling software licence. A platform provider whose technology is used by any UKGC-licensed operator to provide facilities for remote gambling in Great Britain must hold its own licence from the Commission. LCCP section 2.3.1 applies to all remote operating licences including remote gambling software and betting ancillary remote licences, and requires licensees to comply with the Commission’s technical standards and with requirements set by the Commission relating to the timing and procedures for testing.

The Commission’s Remote Gambling and Software Technical Standards frame the security architecture a platform provider must implement. The RTS security requirements are based on Annex A of ISO/IEC 27001:2022, which replaced the 2013 version of that standard. Compliance officers evaluating their existing ISO 27001 certifications must confirm they are aligned to the 2022 standard, not the 2013 version, before asserting RTS compliance.

LCCP condition 2.1.1 covers remote casino, bingo, and betting licences, and requires an operator adding to or relocating key equipment to a different jurisdiction to apply for a licence variation before the change is made. Platform providers must understand that this obligation passes through to their architecture decisions: if your platform hosts key equipment for a UK-licensed operator, any infrastructure change that alters the location or nature of that equipment may trigger the operator’s variation requirement, and your cooperation with that process is a contractual and regulatory obligation.

The UKGC has demonstrated willingness to review B2B supplier licences independently of operator enforcement. According to iGaming Business reporting from 2024, the Commission launched a review of Evolution’s supplier licence over concerns that its games were accessible via unlicensed operators. The practical implication for platform providers is that distributor and aggregator contracts must include mechanisms that prevent downstream access to unlicensed operators. A licence review can result in commercial disruption independent of any direct regulatory fault by the platform provider itself.

Ontario: AGCO Registration for Gaming-Related Suppliers

Ontario’s iGaming market, launched 4 April 2022 under the AGCO’s oversight and now operated commercially through iGaming Ontario as an independent agency since 12 May 2025, requires platform providers to register as gaming-related suppliers under the Gaming Control Act 1992. The AGCO’s standards-based model, set out in the Registrar’s Standards for Internet Gaming, gives the Registrar the discretion to hold either the operator, the gaming-related supplier, or both accountable for a standard breach depending on circumstances.

The key sequencing question for Ontario is not whether to register, but when. Platform providers should initiate AGCO registration in parallel with their first Ontario operator client’s own registration process, not after the operator has gone live. The Registrar may refuse a registration if the applicant is carrying on activities that would be in contravention of the Standards if the applicant were registered. A supplier providing critical gaming services to an Ontario operator before holding registration is already exposed.

The AGCO’s approach to third-party management is notably comprehensive. Standard 1.20 requires operators and gaming-related suppliers to maintain a list of suppliers that provide goods or services in relation to lottery schemes, available to the Registrar upon request. Platform providers should expect to appear on their operator clients’ supplier lists and to be subject to indirect scrutiny through those lists even before any direct regulatory contact with the AGCO.

For compliance officers building an Ontario market entry programme, the Ontario iGaming compliance guide provides a thorough account of the broader Registrar’s Standards obligations that flow from that relationship.

Alberta: A New Market with Dual-Track Registration

Alberta launched its private iGaming market with registration opening in January 2026 and commercial operations planned for July 2026. The AGLC’s Standards and Requirements for Internet Gaming (SRIG), issued 14 January 2026, create two sub-classes of iGaming Supplier registration: Operators and Goods or Services Suppliers. Platform providers fall within the Goods or Services Supplier category.

The SRIG is explicit that only registered Goods or Services Suppliers may provide goods or services to the iGaming Corporation, the AGLC, or an Operator. The scope of that restriction covers making or supplying equipment or services to operate or support an iGaming site, which captures platform infrastructure comprehensively. Registered Operators must enter into a commercial agreement with the Alberta iGaming Corporation (AiGC), creating a dual-track obligation that does not apply identically to Goods or Services Suppliers, who deal primarily with the AGLC registration process.

The SRIG also establishes a Technology Compliance Confirmation requirement. Registered Operators and registered Goods or Services Suppliers running critical gaming systems must provide AGLC with annual confirmation that their technology is compliant with all applicable SRIG standards and requirements. Importantly, if an Operator uses a third-party registered Goods or Services Supplier for a critical gaming system, the Operator’s Technology Compliance Confirmation does not cover that supplier’s technology. The supplier must provide its own confirmation. This creates a distinct compliance deliverable for platform providers that is separate from anything their operator clients submit. The confirmation must be supported by records and evidence maintained by the supplier and available to AGLC upon request.

For Goods or Services Suppliers, the AGLC application requires compliance with all federal, provincial, and municipal legislation, payment of any applicable registration fee, and background checks. Operator application fees are CAD 50,000 with CAD 150,000 annual fees; the specific fee quantum for Goods or Services Suppliers is established separately, and suppliers should confirm the current amount directly with AGLC before budgeting.

Curaçao: The LOK Supplier Licence and What Has Changed

Curaçao occupies a particular position in B2B market sequencing. It provides access to the widest universe of operator clients globally, including operators in unregulated and grey markets, at the lowest published fee point. Under the National Ordinance on Games of Chance (LOK), enacted in 2024, Article 5.13 provides that a corporation incorporated under the laws of Curaçao may be granted a Supplier Licence to provide Critical Services or Goods in or from Curaçao. Article 1.5 of the LOK states that without, or contrary to, a CGA-issued Supplier Licence, it is not allowed to provide Critical Services or Goods in or from Curaçao.

The Curaçao Gaming Authority’s LOK Licensing Fees Schedule, Version 2.0, effective 15 October 2025, sets the B2B application fee at EUR 4,592 as a one-time, non-refundable amount. UBOs are charged EUR 150 per person, Qualified Interest Holders EUR 150 per person, and Listed UBOs EUR 2,551 per entity. These figures are substantially lower than the B2C gaming licence application fees and significantly lower than MGA or UKGC licensing costs.

The Curaçao LOK Supplier Licence carries genuine fit-and-proper obligations under Articles 5.13 and 5.14 that did not exist under the predecessor master-licence structure. The cost advantage is real; the compliance burden has increased materially.

The operational change that matters most for platform providers is the shift from the old sub-licensing model, where suppliers operated under a master licence holder’s umbrella, to direct licensing by the CGA under the LOK. Suppliers must now meet suitability requirements independently, including fit-and-proper assessment of Key Persons, UBOs, and Qualified Interest Holders. Platform providers that previously operated through a master licensee arrangement must either obtain their own LOK Supplier Licence or restructure their commercial relationships. Transitional provisions under the LOK allowed a period for existing arrangements to regularise, but that window has closed for most operators.

Certification Reuse: Do You Need a Separate Certification for Every Jurisdiction?

The short answer is no, but full reuse is not automatic. Partial reuse is available through Transfer of Approval mechanisms offered by accredited labs, and the degree of savings depends on which jurisdictions accept those transfers and how your original certification was structured.

GLI-19 v3.0, the Standards for Interactive Gaming Systems published by Gaming Laboratories International with a revision date of 17 July 2020, is the closest thing to a global baseline for platform certification. GLI-19 is designed to apply to both operators and suppliers, with separate scopes. The standard covers RNG testing, platform system requirements, security, and game integrity. Upon successful testing, GLI issues a certificate of compliance evidencing certification to the standard.

The critical operational advantage is the Transfer of Approval mechanism. GLI’s documentation confirms that transfers of approval for existing iGaming certifications are an available service, meaning that test artefacts certified to GLI-19 for one jurisdiction can support applications in other jurisdictions without requiring full re-testing, provided the receiving regulator accepts a GLI transfer. MGA-accredited testing results and UKGC-accredited results are both grounded in GLI-19-derived requirements. The AGLC SRIG requires Accredited Testing Facility certification and specifies that the ATF must include AGLC’s Standards and Requirements within its ISO accreditation scope within one year of supplier registration. GLI holds accreditation across the relevant jurisdictions, which means a supplier that engages GLI for its initial MGA or UKGC certification can instruct the same lab to manage the transfer or additional testing for AGCO and AGLC requirements, reducing duplication.

Spain’s gaming authorities require GLI Europe to certify both B2B iGaming platform suppliers and B2C operators independently, with separate ISS (Information Systems Security) auditor certification alongside the platform certification. Suppliers targeting Spain alongside the core MGA or UKGC markets must budget for two streams of certification work, not one. This is the pattern to scrutinise for every new market: whether the jurisdiction requires a separate ISS or security audit alongside the functional platform certification, or whether a single GLI certification covers both.

Sequencing Framework: Matching Jurisdiction to Business Priority

Tier 1: MGA First, UKGC in Parallel or Immediately After

For most platform providers targeting European-facing operators, the sequencing logic is to file for the MGA B2B licence first, using the application process to build the compliance documentation that will also underpin the UKGC gambling software application. The two processes overlap significantly in their fit-and-proper, AML, and technical standards requirements, but they are not identical and the UKGC process is the more demanding. Industry experience among compliance consultants places UKGC gambling software application timelines at roughly 9 to 12 months from initial submission to authorisation; do not assume that MGA approval accelerates UKGC processing.

Tier 2: Ontario (AGCO) as a North American Anchor

Ontario is the highest-value single Canadian market and the natural next step after European licences are in place. The AGCO registration process is less formally structured than MGA or UKGC applications, but the standards-based model means the Registrar has wide discretion. Platform providers should use GLI-19 certification results obtained for MGA or UKGC purposes as the technical evidence base for AGCO supplier registration, supplemented by any AGCO-specific technical requirements under the Registrar’s Standards. Begin the AGCO process as soon as your first Ontario-facing operator client is identified, not once they are already live.

Tier 3: Alberta (AGLC) as the Second Canadian Market

Alberta’s market opened commercially in mid-2026. Given the AGLC SRIG requirement for an ATF to add AGLC Standards to its ISO accreditation scope within one year of the supplier’s registration, platform providers should engage their certification lab on Alberta-specific requirements at the point of AGLC registration, not 12 months later. The Technology Compliance Confirmation is an annual deliverable. Factor it into your compliance calendar as a standing obligation, distinct from any operator-facing reporting.

Tier 4: Curaçao as a Volume Enabler

The Curaçao LOK Supplier Licence is appropriate where your client base includes operators who hold or are seeking CGA Gaming Licences and where the unit economics of serving those clients justify the compliance investment under the new LOK framework. The EUR 4,592 application fee is not the full cost: UBO and Key Person due diligence, local directorship requirements, and ongoing AML/CFT obligations under the CGA’s published compliance standards all add to the total cost of ownership. Platform providers should treat the Curaçao licence as complementary to, not a substitute for, a Tier 1 European licence, particularly given the UKGC’s demonstrated willingness to scrutinise whether B2B suppliers are enabling access from unlicensed operators.

Capital and Headcount Benchmarks

Platform providers entering the MGA as a first market should budget for a compliance function capable of handling the monthly reporting obligations under Directive 3 of 2018, including management accounts submitted within eight months of the financial year-end and audited financial statements within 180 days of year-end. The MGA compliance audit process, once initiated, requires engagement of an MGA-approved auditor within three months of the Authority’s notification. The in-house compliance resource needed to support this is at minimum a dedicated compliance manager with gaming regulatory experience, supported by external Maltese legal counsel.

For a platform provider seeking simultaneous MGA and UKGC licensing, the headcount requirements expand because the UKGC expects a Nominated Officer for AML purposes, qualified personnel for each licensed activity, and Key Event reporting capacity under LCCP section 15.2.2. Industry consensus among compliance consultants is that a two to three person in-house compliance team is the minimum viable configuration for concurrent MGA and UKGC licensing, with the UKGC demands driving the upper end of that range.

The AGLC market entry adds the annual Technology Compliance Confirmation as a structured deliverable. Platform providers without a dedicated technology compliance function, separate from their legal and regulatory compliance team, will find this obligation difficult to discharge internally. In practice, operators and suppliers entering Alberta contract with their ATF to produce the annual technical evidence package and submit a summary confirmation to AGLC, with internal audit signing off on the CAM.

Key Resources

MGA Gaming Authorisations and Compliance Directive (Directive 3 of 2018, V2 October 2021): The primary instrument governing B2B licensing obligations under the Malta Gaming Authority, including critical gaming supply definitions, outsourcing requirements, and B2B reporting obligations.

UKGC Licence Conditions and Codes of Practice (version effective 6 April 2026): Sections 2.1.1 and 2.3.1 govern technical standards compliance for remote gambling software licensees. The Remote Gambling and Software Technical Standards (RTS) set the ISO 27001:2022-aligned security requirements.

AGCO Registrar’s Standards for Internet Gaming (last updated 29 May 2025): Standards 1.18 through 1.22 govern third-party and supplier management obligations for both operators and gaming-related suppliers in Ontario’s regulated market.

AGLC Standards and Requirements for Internet Gaming (SRIG, issued 14 January 2026): Section 4 sets out Technology Compliance Confirmation and ATF certification requirements for registered Goods or Services Suppliers in Alberta.

Curaçao Gaming Authority, LOK Licensing Fees Schedule, Version 2.0 (15 October 2025): Sets out application and annual fees for B2B Supplier Licences under the National Ordinance on Games of Chance.

GLI-19 v3.0, Standards for Interactive Gaming Systems (revision date 17 July 2020): The global baseline standard for iGaming platform certification, applicable to both suppliers and operators across accredited jurisdictions.