Global Law Experts Logo
game provider agreements cyprus

Drafting Game‑provider & Software Licensing Agreements for Cyprus (2026): Key Contract Clauses to Meet Regulatory, AML & NBA Compliance

By Global Law Experts
– posted 44 minutes ago

Every game provider agreements Cyprus negotiation in 2026 is shaped by an increasingly assertive regulatory environment: the National Betting Authority (NBA) has issued new directives on self-exclusion integration and suspicious-transaction reporting, the Prevention and Suppression of Money Laundering Law continues to tighten obligations on obliged entities, and ongoing discussions around online-casino legalisation are raising the compliance bar for every supplier and licensee in the chain. For in-house counsel, procurement leads, and outside advisers drafting or reviewing a software licensing agreement Cyprus-side, the practical challenge is no longer whether to include compliance clauses, it is how to draft them precisely enough that both parties know who does what, when, and at whose cost.

This guide maps the key statutes and regulator directives directly onto contract language, clause by clause, so that your next agreement leaves no compliance gap unaddressed.

Before you begin drafting, complete three immediate actions:

  • Audit your clause library against the NBA directives and AML obligations catalogued below.
  • Confirm each party’s regulatory status, licensee, supplier, or aggregator, because contractual duties differ significantly.
  • Map data flows to identify GDPR controller/processor roles and any cross-border transfer triggers.

1. Cyprus Regulatory and Licensing Overview, 2026 Updates

Key Statutes and Regulator Responsibilities

Betting and gambling in Cyprus are principally regulated under the Betting Law L.37(I)/2019, which established the NBA as the single supervisory body for licensed betting operations. The NBA holds powers to grant, suspend, and revoke licences, impose administrative fines, and issue binding directives to licensees. Separately, casino-resort operations fall under the Cyprus Gaming and Casino Supervision Commission (CGC), which administers its own AML/CTF legal and regulatory framework.

For game supplier contract clauses, the critical point is that while providers are not themselves required to hold an NBA licence, their software may only be offered to the public through a licensed operator. That commercial dependency means the provider’s contract must mirror every material obligation the operator bears, because if the operator’s licence is suspended or revoked for a compliance failure traceable to the provider’s software, both parties suffer.

2026 Directives That Matter to Suppliers

Two NBA directives are especially consequential for game provider agreements Cyprus-side:

  • Directive 18/2024 (National Self-Exclusion Platform, NSEP). Licensed operators must integrate with the NSEP so that self-excluded players are blocked across all platforms. Suppliers must build or support the technical integration and warrant that their software can enforce NSEP block-lists in real time.
  • Directive 15/2024 (Reporting Obligations). This directive sets out quarterly statement requirements and suspicious-transaction reporting timelines for licensees. Suppliers must ensure their systems generate the data feeds operators need to meet these deadlines.

Licence classes under the Betting Law distinguish between Class A (betting shops and retail) and Class B (online betting). Operators should consult the NBA’s published fee schedule and licensing guidance for current costs, as these are revised periodically. For contract-drafting purposes, every agreement should specify the operator’s licence class and number, and include a covenant requiring the operator to notify the supplier immediately of any change in licence status.

2. Who Needs Which Contractual Protections, Provider vs Operator Responsibilities

Game provider agreements Cyprus practitioners draft typically involve at least two, and sometimes four, distinct parties. Understanding who bears which regulatory burden is essential before allocating contractual risk. The following decision table summarises the most common obligations and the corresponding recommended clause for each entity type.

Entity Common Regulatory/Operational Obligations Recommended Contract Clause
Licensee / Operator (Class A or B) Holds NBA licence; performs KYC and age verification; files STRs with MOKAS; integrates with NSEP; pays betting tax Compliance covenant; STR-filing warranty; NSEP integration SLA; tax gross-up clause
Game Provider / Supplier Supplies certified game software; provides transaction logs on demand; supports geoblocking; warrants IP ownership IP warranty and indemnity; data-access clause; geoblocking SLA; audit cooperation clause
Aggregator / White-label Partner Integrates third-party game feeds; ensures sub-supplier AML/DPA compliance; notifies operator of suspicious integrations Sub-processor warranty; cascading audit rights; indemnity for third-party non-compliance

Red flag, negotiation tip: Operators sometimes attempt to push all AML and KYC obligations gaming suppliers should share onto the provider. Resist this unless the provider directly interfaces with the end player. Instead, clearly delineate the operator’s front-line KYC duties from the supplier’s obligation to supply compliant software and data feeds.

3. Commercial and Licensing Clauses in a Software Licensing Agreement Cyprus

Sample Licence Grant Clause

The licence grant is the commercial heart of every software licensing agreement Cyprus parties will negotiate. It should specify the scope (e.g., RNG slots, live-dealer feeds, sports-data API), the territory, and whether the grant is exclusive or non-exclusive. A well-drafted clause might read:

“The Provider grants the Operator a non-exclusive, non-transferable licence to access and deploy the Licensed Games solely within the Territory, solely to end-users who have been verified by the Operator in accordance with applicable KYC requirements, and solely in connection with the Operator’s Class B licence number [●] issued by the NBA.”

Territory and geoblocking are intertwined. The clause should list permitted jurisdictions explicitly and require the operator to implement, and the provider to technically support, IP-based geoblocking for all territories not expressly included. This dovetails with NBA compliance Cyprus expectations, which require licensees to block access from restricted jurisdictions. If the provider’s platform feeds games to multiple operators, cross-territorial conflicts must be addressed through exclusivity carve-outs or revenue-share adjustments.

Payment, Revenue Share and Withholding Tax Clause

Fee structures in the iGaming sector typically combine a fixed monthly platform fee with a percentage of gross gaming revenue (GGR). The contract should define GGR precisely, deducting player winnings, bonuses, and chargebacks, and set payment milestones (e.g., NET 30 from the end of each calendar month).

On the tax side, operators should confirm current betting-tax rates with the Cyprus Ministry of Finance, as rates are subject to legislative revision. The agreement must include a tax gross-up clause so that if withholding tax is imposed on payments to a non-resident supplier, the operator increases the payment so the supplier receives the agreed net amount. A concise formulation:

“All sums payable under this Agreement are exclusive of withholding tax. If the Operator is required by law to deduct or withhold any tax, the gross amount payable shall be increased so that, after deduction, the Provider receives the full amount that would have been payable absent the deduction.”

Service-level agreements (SLAs) for uptime, latency, and failover should be annexed, with agreed remedies (service credits, not termination) for SLA breaches below a defined materiality threshold. Escrow of source code is advisable where the provider’s insolvency could leave the operator unable to run games mid-licence period.

4. AML, KYC and Transaction-Monitoring Clauses, Supplier and Operator Must-Haves

AML clauses gambling contracts require are among the most heavily negotiated provisions in any game provider agreement. The Prevention and Suppression of Money Laundering and Terrorist Financing Law designates betting-licence holders as obliged entities, meaning they must perform customer due diligence (CDD), enhanced due diligence (EDD) for high-risk players, ongoing transaction monitoring, and suspicious-transaction reporting (STR) to MOKAS via the goAML platform.

Customer Onboarding and KYC

While the front-line KYC obligation rests with the operator, the provider’s software must be capable of enforcing onboarding checks. A sample KYC clause:

“The Provider warrants that the Licensed Games incorporate configurable player-verification gates such that no end-user may place a wager or deposit funds unless the Operator’s KYC system has returned a ‘verified’ status. The Provider shall maintain API compatibility with the Operator’s identity-verification service provider and shall implement updates within [●] business days of written notice.”

Red flag: Negotiate who bears the cost of API updates when the operator changes its KYC vendor. Providers should cap the number of mandatory integrations per year or charge change-request fees after a defined threshold.

Ongoing Monitoring and STR Reporting

The operator must file STRs with MOKAS immediately upon forming a suspicion. The provider’s contractual role is to supply real-time transaction data, player-activity logs, and anomaly alerts. Draft language should include:

  • Data-feed SLA: The provider shall make transaction-level data available to the operator via secure API within [●] seconds of each completed transaction.
  • Anomaly flagging: The provider shall implement configurable rule-based alerts (e.g., rapid-deposit patterns, unusual session lengths) and transmit alerts to the operator’s compliance dashboard.
  • Suspension mechanism: Either party may suspend a player account pending investigation where an STR has been filed or where the operator’s MLCO directs suspension.

Sanctions Screening and Virtual-Asset Handling

Where the operator accepts cryptocurrency deposits, the agreement must address virtual-asset (VA) screening against EU and UN sanctions lists. The provider should warrant that its wallet-integration module supports chain-analysis tools and that transaction records include wallet addresses for audit purposes. For a broader perspective on regulatory expectations in crypto-enabled gaming, see our guide on crypto casino licences.

Record Retention and Reporting Timelines

Record Type Statutory Retention Period Recommended Contract Clause
CDD/KYC documentation 5 years after end of business relationship (AML Law) Operator retains; provider supports data export in machine-readable format
Transaction records (deposits, wagers, withdrawals) 5 years after the transaction (AML Law) Provider stores transaction logs and makes available on 48-hour notice
STR records and internal investigation files 5 years after the STR filing date (AML Law) Operator retains; provider to preserve related system logs for equivalent period
NBA quarterly compliance reports 7 years (NBA Directive 15/2024) Operator retains; provider delivers data feeds enabling report generation

Red flag: Ensure that retention clauses survive termination. Providers often want to delete data upon contract expiry to reduce storage costs, but the operator’s statutory obligations require the data to remain accessible. Address this tension with an escrow or read-only archive arrangement.

5. NBA-Specific Compliance Clauses: Licensing Notifications, NSEP, Geoblocking and Jurisdiction

NBA compliance Cyprus obligations go beyond AML. Several NBA directives impose operational requirements that must be hardwired into game provider agreements:

  • Licence-status notification. The operator must notify the provider within 24 hours of any NBA decision to suspend, revoke, or restrict its licence. The provider’s corresponding right should be an immediate ability to disable game access, without this, the provider risks facilitating unlicensed gambling.
  • NSEP integration (Directive 18/2024). The provider must warrant that its platform supports real-time queries against the National Self-Exclusion Platform. A sample clause: “The Provider shall maintain a live connection to the NSEP and shall block any player appearing on the NSEP register from initiating a game session within [●] milliseconds of an NSEP query return.”
  • Geoblocking and jurisdiction clauses. The provider must implement IP-based and, where feasible, GPS-based geoblocking to prevent access from jurisdictions not covered by the operator’s licence. The clause should define technical standards (e.g., commercially reasonable geolocation accuracy of at least 99 %), allocate liability for VPN circumvention, and require quarterly audits of geoblocking effectiveness.
  • Cooperation with NBA investigations. Both parties should covenant to cooperate fully with any NBA inquiry, including producing documents and system access within timeframes specified by the Authority.

Red flag: Geoblocking liability is a frequent negotiation flashpoint. Providers typically resist guaranteeing 100 % accuracy because VPN usage is outside their control. The practical compromise is a “commercially reasonable efforts” standard coupled with a shared obligation to monitor and update geolocation databases.

6. Data Protection, DPIA and DPA Clauses for a Data Processing Agreement Gaming Suppliers Need

Under the EU General Data Protection Regulation, enforced in Cyprus by the Commissioner for the Protection of Personal Data, every game provider agreement must address personal-data processing. Gaming telemetry, behavioural analytics, and transaction records all constitute personal data where they relate to identified or identifiable players.

Sample DPA Paragraphs Tailored to Gaming Telemetry

The data processing agreement gaming suppliers and operators should annex to the main contract must cover at minimum:

  • Roles: The operator is typically the data controller; the provider is the processor. If the provider processes data for its own analytics (e.g., game-performance optimisation), it may be a joint controller, this must be specified and documented.
  • Processing details: Subject matter (player account data, session logs, wagering records), categories of data subjects (registered players), duration (co-terminous with the agreement plus retention period), and purposes (game delivery, regulatory reporting, fraud prevention).
  • Security measures: Encryption at rest and in transit (minimum AES-256/TLS 1.2), access controls, penetration testing schedule, and incident-response procedures.
  • Breach notification: The processor must notify the controller within 24 hours of discovering a personal-data breach, enabling the controller to meet the 72-hour notification deadline to the Commissioner.
  • Sub-processors: The provider must obtain prior written consent before engaging sub-processors and must impose equivalent data-protection obligations on each.
  • Cross-border transfers: Where data is transferred outside the EEA (e.g., to a provider’s development centre in a third country), the agreement must include Standard Contractual Clauses or rely on an adequacy decision.

A Data Protection Impact Assessment (DPIA) is required where the processing is likely to result in a high risk to individuals, profiling player behaviour, automated decision-making affecting betting limits, or large-scale processing of behavioural data all qualify. The contract should require the operator to conduct a DPIA before go-live and oblige the provider to supply all technical information needed for the assessment.

7. Audit, Access, Logging and Regulator Cooperation Clauses

Robust audit rights underpin every compliance clause in the agreement. Without the ability to verify compliance, warranties are unenforceable. A practical audit framework should address:

  • Scope: The operator (and, on pass-through terms, the NBA and MOKAS) may audit the provider’s systems, data-centre security, transaction logs, and AML/KYC integration points.
  • Frequency and notice: Routine audits no more than once per calendar year on 30 days’ written notice; ad hoc audits at any time with 48 hours’ notice where triggered by a regulatory investigation or suspected breach.
  • Conduct: Audits to be conducted during business hours, with minimal disruption, and subject to confidentiality obligations. The auditing party bears its own costs unless the audit reveals material non-compliance, in which case the audited party reimburses reasonable costs.
  • Data minimisation: Auditors may access only data necessary for the stated audit purpose; privileged legal communications are excluded.
  • Log escrow: Transaction and session logs should be escrowed with an independent third party, accessible to both parties and to regulators upon lawful demand.

An operational readiness checklist, covering system-access credentials, designated compliance contacts, and pre-approved secure data-transfer protocols, should be completed before the agreement’s effective date, as early indications suggest that the NBA is placing increasing emphasis on proactive compliance infrastructure during licence reviews.

8. IP Warranties, Indemnities, Limitation of Liability and Insurance

IP warranties game providers must give typically cover ownership of the licensed software, non-infringement of third-party intellectual property, and disclosure of any open-source components. A sample warranty:

“The Provider warrants that it is the sole owner of, or holds valid licences to, all intellectual property embodied in the Licensed Games and that the Operator’s use in accordance with this Agreement will not infringe the rights of any third party.”

The indemnity clause should cover losses arising from IP infringement claims, regulatory fines attributable to the provider’s software defects or non-compliance (noting that indemnities for regulatory fines may be limited in enforceability under Cyprus law), and data breaches originating in the provider’s systems. Limitation of liability caps are standard, typically set at 12 months’ fees or a fixed monetary cap, but should carve out fraud, wilful misconduct, IP indemnity obligations, and data-breach liabilities.

Insurance requirements should include professional indemnity, cyber-liability, and (where applicable) product-liability coverage, with minimum coverage amounts specified and evidence of renewal provided annually. Operators launching in multiple jurisdictions will find additional context in our overview of the top 10 jurisdictions to launch a licensed gambling business.

9. Dispute Resolution, Termination and Transition

Termination rights must address both commercial and regulatory triggers. Either party should be entitled to terminate immediately if the other suffers a licence revocation, enters insolvency, or commits a material breach of AML, data-protection, or NBA-compliance obligations that is not remedied within a defined cure period (typically 14–30 days for remediable breaches).

The distinction between suspension and termination matters. A contract should permit suspension of game access pending a regulatory investigation, without triggering full termination, so that the commercial relationship can resume if the investigation concludes favourably. Player-data continuity is critical: the agreement must require the provider to migrate all player-account data and transaction histories to the operator (or a successor provider) in a standard, machine-readable format within an agreed transition period.

Source-code escrow release triggers should include provider insolvency, material breach of SLA not cured within 60 days, and licence revocation. Governing law should be the laws of the Republic of Cyprus, and industry observers expect that arbitration seated in Nicosia, administered under ICC or LCIA rules, offers the most practical forum for cross-border provider–operator disputes. Those exploring how to start an online casino should factor these exit and continuity provisions into their budgeting from day one.

Reporting Obligations by Entity Type, Comparison Table

Entity Type Reporting Obligation (Timeline) Typical Contract Clause Pointer
Licensee / Operator (Class A/B) Quarterly statements to NBA; immediate STRs to MOKAS for suspicious transactions; record retention for the statutory period Require operator to provide quarterly compliance reports; covenant to file STRs; retention and audit clause surviving termination
Game Provider / Supplier Provide logs and transaction data to operator/NBA on request; cooperate with investigations; support geoblocking Data-access clause with 48-hour SLA; cooperation and technical-assistance clause; geoblocking implementation and quarterly audit clause
Aggregator / White-label Partner Notify operator of suspicious third-party integrations; ensure sub-processors comply with DPA and AML requirements Sub-processor warranty and cascading audit clause; indemnity for third-party non-compliance; immediate notification covenant

Conclusion and Next Steps

Drafting game provider agreements Cyprus-compliant in 2026 demands a clause-level understanding of NBA directives, AML obligations, GDPR requirements, and commercial realities. Use the clause templates and comparison tables above as a starting checklist, confirm each obligation against the current NBA and MOKAS guidance, and engage specialist counsel to tailor the language to your specific product and licence class. A well-drafted agreement is not merely a commercial document, it is the operational backbone of regulatory compliance for both provider and operator.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Zena Spanou at Markos P. Spanos & Co LLC, a member of the Global Law Experts network.

Sources

  1. National Betting Authority (NBA), Official Site and Directives
  2. Betting Law L.37(I)/2019 (Gov.cy)
  3. Unit for Combating Money Laundering (MOKAS), Cyprus FIU
  4. Prevention and Suppression of Money Laundering and Terrorist Financing Law (Consolidated)
  5. Commissioner for the Protection of Personal Data, Cyprus
  6. European Commission, EU Data Protection Legal Framework
  7. Cyprus Ministry of Finance, Betting and Gambling Services Documentation
  8. Cyprus Gaming and Casino Supervision Commission, AML/CTF Legal and Regulatory Framework

By Awatif Al Khouri

posted 2 hours ago

Find the right Advisory Expert for your business

The premier guide to leading advisory professionals throughout the world

Specialism
Country
Practice Area
ADVISORS RECOGNIZED
0
EVALUATIONS OF ADVISORS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GAE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Drafting Game‑provider & Software Licensing Agreements for Cyprus (2026): Key Contract Clauses to Meet Regulatory, AML & NBA Compliance

Send welcome message

Custom Message