18/08/25
AI is reshaping how online gambling platforms work — from spotting problem gambling to personalising player experiences. However, alongside these opportunities come serious legal risks: How can operators strike a balance between innovation and compliance? This piece explores the main regulatory duties, practical risks, and real-world examples shaping the industry today.
⚖️ Rules of the Game – What the Law Says
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and will apply in phases up to 2027. It introduces a risk-based classification of AI systems - unacceptable, high, limited, minimal, and general-purpose.
High-risk AI systems-such as those detecting problematic gambling or adjusting betting limits-must meet stringent requirements, including data governance, transparency, human oversight, cybersecurity controls, and undergo conformity assessments.
Systems deemed “unacceptable”-such as exploitative or manipulative AI-are strictly prohibited under the same Act.
Operators must also comply with the GDPR when processing personal data via AI-for example, ensuring legal bases, encryption, minimisation, consent or legitimate interest, and informing users about automated decision-making logic.
The UK Gambling Commission (UKGC) has warned about emerging AI-enabled risks - such as deepfakes and synthetic identities in KYC - and urges operators to strengthen controls and staff training.
Finally, general EU digital regulations like the Accessibility Act and Digital Services Act also impact gambling platforms, demanding accessible design and responsible content moderation-these apply even to operators based outside the EU through extraterritorial reach.
🔄 EU vs UK – Same Game, Different Rules
While EU regulation hinges on the AI Act’s risk-based approach, the UK still relies on sector-specific oversight-principally via the Gambling Commission-whose evolving stance on AI risks like deepfakes complements but does not replicate the EU’s framework.
The AI Act’s extraterritorial reach means non-EU operators serving EU players must nonetheless comply-mirroring how GDPR applies based on use of data, not operator location.
In comparison, while both frameworks seek to protect consumers, the EU’s approach is principle-based and technology-neutral, enforcing transparency, fairness, cybersecurity, and human oversight. The UK’s approach-particularly on fraud, tends to be reactive, issuing guidance as risks emerge (e.g., identity deepfakes).
Moreover, the AI Act actively prohibits manipulative systems and mandates governance structures such as internal AI committees and documentation. UK regulation, for now, lacks that formal structure and instead emphasises operational vigilance and licensing repercussions.
Both jurisdictions, however, converge on data protection-GDPR remains binding in the EU, and the UK retained a similar standard post-Brexit, requiring operators to uphold privacy and transparency when using AI.
🔍 Real-World Lessons – When AI Meets Gambling
Consider a scenario where an operator deploys an AI scoring tool to detect problem gambling. Under the EU AI Act, such a tool is likely “high-risk”-operators must conduct a conformity assessment, ensure human review of flagged cases, and document all processing steps.
Should an AI model unfairly target certain demographic groups-perhaps due to biased training data, that would contravene both EU anti-discrimination duties and GDPR fairness principles. Regular bias audits and model retraining would be required.
In the UK context, a gambling operator has been warned by the Gambling Commission regarding AI-generated fake IDs and promotional deepfakes that facilitate illegal gambling. This illustrates real regulatory enforcement applied to emergent AI threats-even without explicit AI law-making, it is critical for operators to train staff in detecting such fraud and to apply strong verification protocols.
Operators using AI chatbots to handle self-exclusion requests, for instance, must implement human-in-the-loop checks to guard against misinterpretation and wrongful denial, satisfying both AI Act governance expectations and general consumer protection standards.
Lastly, using AI to generate promotional content raises IP issues: operators must ensure AI-generated media does not infringe copyright and clearly define ownership of such content.
This analysis has outlined how AI transforms online gambling, imposing legal obligations under the EU AI Act, GDPR, and UK Gambling Commission frameworks. We explored risk classifications, data protection, fairness, cybersecurity, and regulatory differences between the EU and UK. Real-world examples-from bias and fraud detection to AI chatbots and deepfake risks-underscore the practical implications for operators.
NUR Legal stands ready to advise operators on navigating these complex legal landscapes, whether you require compliance strategies, risk audits, or governance framework design. Contact NUR Legal for tailored legal support in this rapidly evolving field.
#AIRegulation #OnlineGambling #EUAIAct #GDPR #ResponsibleGaming #Cybersecurity #FraudPrevention #LegalCompliance #UKGamblingLaw #AlgorithmicFairness
Emil Korpinen