iGaming Compliance in the UAE: A Regulatory Guide for Operators
iGaming compliance in the UAE means meeting a federal anti-money-laundering regime that now treats commercial gaming operators as regulated obliged entities. Cabinet Resolution No. 134 of 2025 took effect on 14 December 2025. From that date, online gaming platforms, sports-betting operators, and lottery providers became Designated Non-Financial Businesses and Professions (DNFBPs) under Federal Decree-Law No. 10 of 2025. Customer due diligence is mandatory. Ongoing monitoring is mandatory. Suspicious-transaction reporting is mandatory too, and a regulator in the Emirates will now read every one of those duties as a binding condition of holding the gaming licence rather than as a matter of voluntary good practice.
For years the story in the Emirates was simple. Gambling was banned outright, no licensed activity existed to supervise, and so the compliance question barely arose for anyone selling into the market. That era has closed. Prohibition has given way to a licensed regime, and operators eyeing the opportunity now face an AML rulebook pitched at the same level of rigour that banks have lived under for decades.
Why iGaming Compliance in the UAE Changed So Fast
Two instruments, eighteen months apart, account for the entire shift. On 3 September 2023 the UAE stood up the General Commercial Gaming Regulatory Authority, a federal body headquartered in Abu Dhabi and granted exclusive jurisdiction to license and supervise commercial gaming. Lottery falls inside that remit. So do internet gaming, sports wagering, and land-based venues. Establishing the GCGRA did more than open a door; it set the legal frame the whole market would sit inside.
Federal Decree-Law No. 10 of 2025 supplied the heavier piece. This statute, the country's AML/CFT and proliferation-financing law, took effect on 14 October 2025 and replaced the older Federal Law No. 20 of 2018. Banks and financial institutions already answer to the very same regime across the wider UAE AML landscape. Executive regulations followed two months later. Cabinet Resolution No. 134 of 2025 did one decisive thing: it stretched the DNFBP definition to capture any party running a commercial gaming hall, operating gaming online, taking sports bets, or running lottery games.
Designation matters enormously here. Classification as a DNFBP imports the full apparatus of AML duty. Operators must run risk assessments. They must appoint a compliance officer, keep records, screen transactions, and file reports. Reporting for gaming transactions triggers at AED 11,000, reached either in one payment or across a linked series of them. Penalties for falling short are not nominal. Organisational fines can reach AED 100 million, the gravest breaches carry prison terms of up to ten years, and market access and rulebook arrived in the Emirates almost in the same breath, which leaves no grace period for any operator planning to work compliance out later.
What an iGaming Operator Actually Has to Do
Behind the legalese the duty is plain enough. Know who is playing. Watch where the money moves. Report what does not add up. Player onboarding comes first. An operator has to confirm a customer's identity and confirm that the customer is old enough to play before any deposit or withdrawal clears, and the check has to scale to thousands of sign-ups without becoming an ordeal that drives legitimate players away. High-value players and customers from higher-risk jurisdictions warrant enhanced due diligence. That deeper review probes source of funds and customer background well past the standard checks.
Then monitoring runs without pause. Gaming throws up laundering patterns that other sectors rarely encounter, among them rapid deposits chased by near-immediate withdrawals, dormant accounts that abruptly churn large balances, and deposits structured to sit just below the reporting threshold. Screening players against sanctions lists and politically-exposed-person lists belongs to the baseline rather than to some premium tier. Behavioural transaction monitoring is the control that catches structuring a one-time check would always miss. Every decision and every flagged payment then has to be documented, because a regulator can demand the trail on short notice.
KYC Hub's iGaming compliance solution is built around precisely this shape of work. Start with age. Age verification keeps under-age users off restricted sites. Identity checks run with liveness and document verification, sanction and PEP screening sits alongside continuous AML monitoring of high-risk clients, and suspicious gaming patterns get surfaced, the early-withdrawal behaviour that so often signals abuse included, with AML coverage spanning more than 190 countries. A UAE operator assembling onboarding and ongoing checks beneath one licence gains as much from consolidating those steps in a single place as from the checks themselves.
How UAE Gaming Rules Differ From the Rest of the Picture
Reading the new framework as a blanket green light would be a costly error. Sharp lines run straight through it. Misjudge one and the consequences are severe. Skill-based gaming, esports, and game development have been permitted for years, on the condition that content respects cultural and religious norms. Chance-based gambling outside the licensed regime remains a criminal matter. Article 414 of the UAE Federal Penal Code makes gambling an offence carrying fines up to AED 20,000 and imprisonment of up to two years. Move that activity online and the Cybercrime Law, Federal Decree-Law No. 34 of 2021, raises the stakes further: using technology to facilitate gambling can draw fines reaching AED 1 million and markedly longer sentences. Conviction on a gambling-related charge can also see an expatriate deported.
Enforcement reaches the consumer, not only the operator. Working through internet service providers, the Telecommunications and Digital Government Regulatory Authority blocks sites that facilitate illegal online gambling. VPN use is lawful in itself. Reach blocked gambling content through one, however, and the act becomes a cybercrime offence in its own right. For an operator the lesson admits no ambiguity. A GCGRA licence backed by full AML compliance is the single thing separating a legitimate business from a criminal one, and no informal middle ground exists between the two.
Who Oversees Gaming Compliance in the UAE
Oversight is shared. Authority over the sector is split, and what an operator does dictates which rules bind it. Commercial gaming answers to the GCGRA, holder of the licensing and supervisory power. Video-game content runs instead through the Media Regulatory Office, formerly the National Media Council, for cultural and ethical compliance. Game developers, publishers, and esports organisers face a further step: a business licence from the Department of Economic Development, issued with content and age-classification conditions attached and enforced against every studio that ships a title into the local market.
Emirate-level bodies stack another layer on top. Dubai Media City supplies infrastructure for studios and esports businesses. In the capital, the Abu Dhabi Media Zone Authority launched the Abu Dhabi Gaming Initiative to grow local studios and tournaments. Both initiatives trace back to the UAE Centennial 2071 vision, with its emphasis on digital innovation and youth engagement. The Emirates Esports Federation, for its part, steers the sector's growth, supports national teams, and has lent its backing to high-profile events such as the GirlGamer Esports Festival staged in Dubai for competitors drawn from across the region.
Mapping comes first. Pinning down which regulator governs which activity is the practical starting point for any compliance programme, since a pure esports studio answers to a different mix of authorities entirely and therefore sits in a markedly different position from a licensed sports-betting platform.
What Comes Next
Tightening, not loosening, is the trajectory to expect. The GCGRA is still building out its licensing regime and moving deliberately as it does so. Its AML regulations fold proliferation-financing risk in explicitly, and that single inclusion signals a deliberate effort by the UAE to align itself with the strictest global standards rather than the minimum that licensing alone would require. Controlled commercial gaming in defined zones looks set to widen. Scrutiny will widen alongside it.
One conclusion follows for operators. Build compliance in from the first line of code, well before the licence is in hand. Inside a regime that carries nine-figure fines and prison exposure for the people running the business, treating KYC and AML as an afterthought to be retrofitted later simply costs far too much.
