ROFUS Explained: How Denmark’s National Self-Exclusion Register Sets the Technical Standard

ROFUS, Register Over Frivilligt Udelukkede Spillere, or Register of Voluntarily Self-Excluded Players, is operated directly by Spillemyndigheden, the Danish Gambling Authority. Unlike self-exclusion architectures that delegate technical integration to an independent third-party scheme, ROFUS is a regulator-owned infrastructure component that every Danish online gambling licence holder must connect to as a condition of certification. The rules governing that connection are not guidance: they are codified in the technical certification standards, and compliance is verified through Spillemyndigheden’s certification programme before a licence can be granted.

As of June 2025, more than 60,000 Danes had self-excluded via ROFUS, according to a Spillemyndigheden announcement on 24 June 2025. That figure is notable for a country of approximately 5.9 million adults, and reflects both the accessibility of the registration process and the breadth of the legal obligation on licence holders to direct players toward it. Understanding how the system works technically, what it requires of licence holders operationally, and how it compares to equivalent schemes in Great Britain, Sweden, and Germany is essential for any compliance function operating across these markets.

The Legal Foundation: Where ROFUS Comes From

The Danish online gambling framework was substantially updated by the executive orders, bekendtgørelser, that entered into force on 1 January 2020, implementing commitments from the cross-party political agreement of 29 June 2018 on new measures against gambling addiction. Bekendtgørelse om onlinekasino (the Online Casino Order) and Bekendtgørelse om online væddemål (the Online Betting Order) each contain the substantive responsible gambling obligations that Spillemyndigheden then elaborated through its Vejledning om Ansvarligt Spil (Guidance on Responsible Gambling), now at Version 1.4, published 6 December 2022.

Spillemyndigheden is the sole authority responsible for operating ROFUS. Licence holders cannot create ROFUS entries on a player’s behalf. The register belongs to and is maintained by the regulator. This structural choice has direct compliance consequences: the data source is not operator-held, it cannot be corrupted or overlooked by a single operator’s systems failure, and the verification standard is set nationally rather than at the licensee level.

How Does a Player Register in ROFUS?

Players register in ROFUS directly through Spillemyndigheden’s website using MitID, Denmark’s national digital identity standard. MitID replaced the earlier NemID infrastructure and provides strong authentication tied to the individual’s civil registration number (CPR-nummer). The use of MitID as the registration gateway is architecturally significant: exclusion is bound to verified national identity, not to an email address, a username, or a self-reported name. This eliminates the category of circumvention documented in other markets, where excluded players simply re-register with minor credential variations.

The exclusion durations available under ROFUS are defined in Vejledning om Væddemål og Onlinekasino Version 7.0, section 7.2.11.3. Players may choose a 24-hour gaming pause (spilpause), a temporary exclusion of one, three, or six months, or a permanent exclusion with no defined end date. Each option is available through a single MitID-authenticated session on Spillemyndigheden’s platform. Licence holders must inform players of the possibility of registering in ROFUS and must provide a direct link to Spillemyndigheden’s website. This requirement applies across every function of the gambling system that relates to self-exclusion, per SCP.02.03 section 3.3.1.10.

What ROFUS Requires of Licence Holders: The Technical Obligations

The technical obligations on Danish online gambling licence holders are set out in Tekniske Krav for Onlinekasino og Væddemål Version 2.5 and elaborated in SCP.02.03 Inspection Standards for Online Casino Version 2.0. Three distinct integration points are mandatory.

At account registration: The gambling system must confirm that a new player does not appear in ROFUS before an account, including a temporary gambling account, can be created. SCP.02.03 section 3.2.1.4 states this plainly: “The gambling system shall confirm that the customer is not registered in The Danish Gambling Authority’s Register of Self-excluded Persons (ROFUS).” A player listed in the register cannot have any gambling account opened.

At every login: The gambling system must query ROFUS each time a player attempts to log in. SCP.02.03 section 3.2.3.2 requires that upon each login, the system confirm that the customer is not registered in Spillemyndigheden’s Register of Self-excluded Persons. If the player appears in the register, access must be denied. For temporary exclusions, the customer relationship is suspended but not terminated. For permanent exclusions, the customer relationship must be ended, and a new gambling account for the same customer cannot be created for at least one year.

For permanent exclusion accounts: The gambling system must immediately inform the customer that all released funds will be paid out from the gambling account. The licence holder must then initiate fund return procedures, which may involve contacting the customer to confirm payout method (SCP.02.03 sections 3.3.1.8 and 3.3.1.9).

The “Nej Tak Til Reklamer” Marketing Function: A Distinctive Feature

One of the elements that distinguishes ROFUS from comparable national registers is the built-in marketing suppression function. Alongside the GamblerService endpoint used for login and registration checks, Tekniske Krav Version 2.5 section 5.4 requires licence holders to implement service calls to a separate ROFUS endpoint specifically for marketing queries: the nej tak til reklamer (no thanks to advertising) service.

“Tilladelsesindehaver skal implementere servicekald til ROFUS, for at gøre det muligt at kontrollere, om der må sendes markedsføring til spilleren. Med markedsføring menes enhver form for salgskontakt via telefonnumre, mailadresser, postadresser eller andre informationer, som tilladelsesindehaveren har om spilleren.”

In translation, the licence holder must implement service calls to ROFUS to determine whether marketing may be sent to a player. Marketing is defined broadly as any form of sales contact via telephone numbers, email addresses, postal addresses, or any other information the licence holder holds about the player. Push notifications and in-app messages are also captured. The marketing suppression obligation therefore operates independently of access control: a player who has opted into the no-advertising function in ROFUS must not receive any direct marketing contact, even if their exclusion is limited to a short-duration gaming pause rather than a formal self-exclusion.

This creates two separate compliance obligations that must both be satisfied. The access control check runs at registration and every login. The marketing check must run before any direct marketing communication is dispatched. They use distinct API endpoints and both are tested as part of the certification programme before production access is granted.

How Does ROFUS Compare to GAMSTOP?

GAMSTOP, the UK’s national online self-exclusion scheme, became mandatory for all remote gambling licence holders in Great Britain in March 2020, when the UK Gambling Commission embedded the participation requirement in Social Responsibility Code Provision 3.5.5 of the Licence Conditions and Codes of Practice (LCCP). A February 2023 LCCP consultation extended that obligation to licence holders taking bets by telephone and email, closing a coverage gap in the original design. GAMSTOP offers minimum exclusion periods of six months, one year, and five years, with an auto-renewal option providing indefinite exclusion. Registration is identity-verified but through self-reported personal information matched against operator records, rather than through a government-issued digital identity standard equivalent to MitID.

The architectural contrast with ROFUS is instructive. GAMSTOP is operated by a company contracted to deliver the scheme on behalf of the industry, with the UKGC mandating participation. ROFUS is operated by Spillemyndigheden itself. A 2019 investigation in Great Britain demonstrated that players could circumvent GAMSTOP exclusions by re-registering with minor credential variations. The MitID authentication requirement in ROFUS makes that specific circumvention route structurally unavailable in the Danish context, because exclusion is tethered to civil registration number rather than operator-held identifiers that a player controls.

Where GAMSTOP has an advantage is in raw coverage relative to population. Great Britain has a substantially larger gambling population, and the scheme has accumulated significant enrolment. GAMSTOP also offers the auto-renewal service providing what amounts to an indefinite exclusion, comparable to ROFUS’s permanent exclusion option. Both schemes require licence holders to remove self-excluded individuals from marketing databases, though the ROFUS marketing suppression is integrated into the register itself through the dedicated API endpoint rather than being a parallel operator-level obligation. Compliance officers who need the full picture of the UKGC’s responsible gambling framework alongside GAMSTOP obligations can find it in the UKGC LCCP explorer on this site.

How Does ROFUS Compare to Spelpaus?

Sweden’s national self-exclusion register, Spelpaus, was introduced following the country’s 2019 re-regulation under Spellagen (2018:1138). In April 2026, Spelinspektionen issued SIFS 2026:3, which formalised the binding technical and procedural obligations for licensed operators querying Spelpaus. Taking effect 1 August 2026, SIFS 2026:3 uses a three-trigger structure covering direct marketing, new player registration, and login, closely paralleling the ROFUS framework. Like ROFUS, it separates the login API from the marketing API, requiring distinct endpoint calls for each trigger type.

The parallel design is notable. Sweden’s regulatory evolution arrived at a similar architecture to Denmark’s, though through a later and explicitly codified technical regulation rather than through the original certification standard framework Denmark used. The key operational difference for operators serving both markets is that SIFS 2026:3 introduced a formal Actor ID and API Key credential system, with each licensee receiving unique credentials for authentication. That structure is already implicit in the ROFUS connection process, which uses certificate-authenticated HTTPS connections to Spillemyndigheden’s production environment.

Denmark and Sweden share the characteristic that exclusion operates across the entire licensed market rather than at the operator level. A player registered in ROFUS is excluded from every Danish-licensed gambling product requiring ROFUS integration. The same applies in Sweden via Spelpaus. This cross-operator effect, enforced through a regulator-controlled central register, represents a fundamentally different design philosophy from operator-level self-exclusion models in jurisdictions such as Malta (MGA) and Curaçao, where cross-operator coverage depends on scheme membership, commercial decisions, or regulator coordination rather than a statutory API mandate. For a detailed breakdown of how SIFS 2026:3 defines Spelpaus API requirements for Swedish licensees, see the dedicated analysis on this site.

OASIS in Germany: A Third Model

Germany’s OASIS system, the national centralised gambling self-exclusion register introduced alongside the Glücksspielstaatsvertrag (GlüStV) 2021, reported approximately 350,000 registrations during its first four years of operation, according to iGamingBusiness in June 2025. OASIS is administered by the Joint Gambling Authority of the States (Gemeinsame Glücksspielbehörde der Länder, GGL) and covers both online and land-based gambling products across all participating operators. In scale, OASIS reflects Germany’s substantially larger population base compared to Denmark or Sweden, but the design pattern, a national register queried at the operator level as a condition of licensing, is conceptually aligned with ROFUS and Spelpaus.

Where OASIS diverges from the Danish model is in the underlying identity infrastructure available to it. Denmark’s MitID provides a single national digital identity standard with consistent, machine-verifiable authentication for all online services. Germany’s equivalent digital identity infrastructure has developed more slowly, and the OASIS integration relies on a different verification architecture. The result is that OASIS has historically faced greater friction in identity matching than a MitID-anchored register. This is a system-level observation about national digital infrastructure rather than a criticism of the GGL’s design choices, as the constraints were pre-existing.

What the Danish RG Framework Adds Beyond ROFUS

ROFUS sits within a broader responsible gambling framework. Spillemyndigheden’s Vejledning om Ansvarligt Spil Version 1.4 requires licence holders to maintain a opmærksomhedspligt, an obligation of attentiveness, toward player behaviour patterns. Under Bekendtgørelse om onlinekasino § 22, stk. 1 and Bekendtgørelse om online væddemål § 16, stk. 1, licence holders for online gambling products must continuously analyse player data for markers of problematic play and take proportionate measures and interventions when those markers are present. This obligation applies even to players who have not self-excluded.

The guidance explicitly distinguishes passive and active measures. Passive measures include website information, links to ROFUS, references to the StopSpillet helpline, and access to self-assessment tools. Active measures require direct intervention toward identified at-risk players, including personalised communication that references the specific behavioural indicators identified. The guidance is precise about what does not constitute adequate active intervention: standardised pop-up messages sent to all players regardless of their behaviour pattern are explicitly identified as insufficient.

“Standardiserede pop-up-vinduer eller standardiserede mails om ansvarligt spil, som sendes til samtlige spillere uafhængigt af forbrug eller spiladfærd, bør [ikke anses som tilstrækkelig aktiv intervention].”

Licence holders must also display Spillemyndigheden’s quality label on their homepage and on all other pages, provide responsible gambling information developed in cooperation with a treatment centre for gambling addiction, provide access to a self-test for gambling addiction, and publish contact details for Danish treatment centres and the StopSpillet helpline. The information must be accessible from every page of the website within one click, per Vejledning om Ansvarligt Spil v1.4. These are codified requirements, not aspirational standards.

The broader player protection architecture, covering mandatory deposit limits, session controls, and mandatory account records including self-exclusion status and all suspension and reinstatement events, reflects the same regulatory logic that underpins ROFUS: obligations are technical, verifiable, and enforced through the certification programme rather than through periodic supervision alone. For compliance officers assessing Danish requirements alongside other European frameworks, the Responsible Gambling Compliance hub on this site provides a cross-jurisdictional reference covering the full landscape of national self-exclusion registers and operator-level models.

Operator Compliance Obligations: The Practical Checklist

Any entity seeking or holding an online gambling licence from Spillemyndigheden must satisfy the following ROFUS-related obligations as part of its certification.

Pre-launch: Complete the technical and legal connection process for both the ROFUS GamblerService and the nej tak til reklamer service. Testing must be conducted in Spillemyndigheden’s dedicated test environment at rofusdemo.spillemyndigheden.dk. Production endpoint credentials are issued by Spillemyndigheden only on successful completion. This connection is tested as part of the SCP.02.03 inspection process.

At registration: Query ROFUS before creating any gambling account, including temporary accounts. If the player is listed, no account may be opened under any circumstances.

At every login: Query ROFUS before permitting access. If the player is listed with a temporary exclusion, deny login. If the player is listed with a permanent exclusion and no account has yet been closed, terminate the customer relationship immediately and initiate fund return procedures.

Before all direct marketing: Query the nej tak til reklamer endpoint. Any player who has opted into marketing suppression through ROFUS must receive no direct marketing by any channel, including telephone, email, post, push notification, or any other identifier held by the licence holder.

Ongoing: All gambling system functions related to self-exclusion must inform players of the possibility of ROFUS registration and provide a direct link to Spillemyndigheden’s website. Self-exclusion status, all suspension events, and all reinstatement events must be recorded in system logs and retained. Licence holders must ensure their own internal self-exclusion process connects the player to ROFUS information at the point of any self-exclusion request.

Why the MitID Architecture Matters for Compliance Design

The most operationally significant design choice in ROFUS is not the exclusion durations or the marketing suppression feature. It is the reliance on MitID as the sole registration mechanism. MitID provides authentication at a security level corresponding to the OCES standard, the same standard that governs customer login to gambling accounts under SCP.02.03 section 3.2.3. Exclusions registered through this channel are therefore anchored to the same identity layer that authenticates every legitimate gambling session.

The practical implication is that a player cannot create a new gambling account with any Danish-licensed operator and bypass their ROFUS registration by using a different email address or a slightly altered name. The CPR-nummer linked to the MitID session is the matching key, and it is a nationally issued identifier that the player does not control or vary. For compliance officers designing identity matching procedures for ROFUS queries, the technical requirement under Tekniske Krav Version 2.5 is that the gambling system verifies the player’s identity using the CPR-nummer before querying ROFUS, and that the ROFUS query uses that verified CPR-nummer as the basis for the lookup.

This is the architectural gap that comparable schemes in other jurisdictions have historically struggled to close. GAMSTOP and earlier operator-level exclusion schemes in Great Britain relied on name, date of birth, email, and postal address matching, all attributes that an excluded player with sufficient motivation can manipulate. The Danish approach solves this not through better fuzzy-matching algorithms but by using a national identity infrastructure that was already deployed for e-government services long before ROFUS was designed. Compliance teams at operators new to the Danish market should treat MitID integration as a foundational infrastructure requirement, not a responsible gambling add-on.

Key Resources

Spillemyndigheden, Vejledning om Ansvarligt Spil Version 1.4 (6 December 2022), the primary responsible gambling guidance covering the opmærksomhedspligt, ROFUS obligations, deposit limits, and active intervention requirements for Danish online gambling licence holders.

Spillemyndigheden, Tekniske Krav for Onlinekasino og Væddemål Version 2.5, the technical requirements document specifying ROFUS API integration, the nej tak til reklamer service, TamperToken, test environment endpoints, and the overall technical connection framework for Danish online gambling certification.

Spillemyndigheden, SCP.02.03 Inspection Standards for Online Casino Version 2.0, the certification programme document setting out the precise requirements inspected in relation to gambling accounts, customer registration, ROFUS checks at login and registration, self-exclusion procedures, and customer protection information obligations.

Spillemyndigheden, Vejledning om Væddemål og Onlinekasino Version 7.0, the licensing guidance covering ROFUS within the broader betting and online casino regulatory framework, including the authority structure, exclusion duration options, and the scope of the licence holder’s information obligations.

UKGC, Licence Conditions and Codes of Practice, Social Responsibility Code 3.5.5, the UKGC provision mandating participation in GAMSTOP for remote gambling licence holders, relevant for operators comparing the Danish and British self-exclusion frameworks. Available at: gamblingcommission.gov.uk/licensees-and-businesses/lccp.

Operators entering the Danish online gambling market for the first time should obtain qualified Danish legal counsel to advise on the full scope of Spillemyndigheden’s licensing requirements, including the complete certification programme obligations that extend beyond the ROFUS provisions addressed in this article.