Selective enforcement is Germany’s biggest gambling problem

Selective enforcement is becoming Germany’s biggest gambling credibility problem!
It is Friday, the end of another long regulatory week, and many people in the gambling industry will be ready to close the laptop and head into the weekend. But before Germany’s gambling market moves on, one uncomfortable question should not be left behind. Does the country’s regulator apply enforcement pressure consistently, or does the intensity of supervision depend too much on who the operator is?
That question has been running through the entire week. It appeared in the debate over reliability under §4a GlüStV, in the Merkur and The Mill Adventure data-security case, in the discussion around suppliers and platforms behind the licence and in the scrutiny of Tipico’s continuing regulated position. Each topic is different, but they all point towards the same structural concern. Germany cannot build lasting trust if enforcement looks severe in some cases but cautious, quiet or narrowly technical in others.
The GGL describes its central task as regulating Germany’s online gambling market by reviewing and approving cross-state online gambling offers, ensuring that permitted providers comply with rules protecting players from gambling addiction and manipulation and combating illegal gambling and advertising. That is a broad mandate, not a narrow clerical function. It gives the authority responsibility for market access, player protection, legal market credibility and action against illegal supply.
The problem is not that Germany lacks rules. The problem is whether those rules are being applied in a way the market can understand. A strict system can be credible. A selective system cannot.
Reliability rules only work if they are applied evenly
Germany’s licensing framework places heavy weight on reliability, financial capability, lawful funding, ownership transparency and operational control. Under §4a GlüStV, licence applicants must satisfy extended reliability requirements, disclose ownership and participation structures, show sufficient own funds for permanent business activity and ensure that the gambling operation is transparent and monitorable by the authority.
Those requirements are serious because gambling is a sensitive market. Operators handle money, player accounts, identity data, betting activity, payment flows and behavioural information. It would be irresponsible for a regulator to treat market entry as a simple administrative approval.
But strict reliability tests create an equally strict obligation on the regulator. If reliability is interpreted broadly for one operator, it should not be interpreted narrowly for another. If financial capability, ownership structures, historic conduct or operational risks matter in one case, the market is entitled to ask how those same concepts are applied elsewhere.
This is where Germany’s credibility problem begins. The market sees some operators facing intense pressure over reliability questions, while other major names continue operating after serious legal, technical or structural concerns with limited public explanation. That does not prove unequal treatment, but it creates a perception gap. In regulation, perception becomes dangerous when the regulator does not explain its method.
Bet3000 shows why the consistency question matters
Bet3000 has become a useful reference point because it sits inside the wider debate about how Germany treats operators that are viewed as difficult, disputed or less favoured by the regulatory system. The relevant question is not whether Bet3000 should receive special treatment. It should not. The question is whether the same seriousness applied to operators under pressure is also visible when major licensed competitors face uncomfortable issues.
Reliability cannot be a flexible concept that expands when a smaller or controversial operator is being assessed and contracts when a market leader is involved. A regulator may have strong reasons for acting differently in different cases. Different facts, evidence, licence categories and procedural stages can justify different outcomes.
But different outcomes need visible reasoning. If one operator is examined through a broad reliability lens, while another is treated through a narrow technical lens, the market will naturally ask whether the law is being applied evenly. That is not a public-relations problem. It is a market-confidence problem.
Germany’s regulated gambling sector is still trying to prove that strict licensing can create a safer and fairer market than offshore alternatives. That project depends on operators believing that compliance burdens apply equally. If enforcement feels selective, compliant operators will start to wonder whether the real competitive advantage lies not in compliance, but in market position.
Merkur and The Mill Adventure raised the data-security test
The Merkur and The Mill Adventure case raised the reliability question in a different form. Public reporting alleged that a major data-security incident exposed information connected to hundreds of thousands of players across Merkur-linked German gambling sites. iGaming Business reported that cybersecurity researcher Lilith Wittmann said she accessed sensitive player data through a GraphQL query, including banking details and sign-up information, and said the incident enabled access to data belonging to more than 800,000 people.
The reported facts went beyond an ordinary website issue. According to iGaming Business, the GGL warning stated that suppliers had failed to meet an annual penetration-test obligation, which led to insufficient security for player data on the Slotmagie domain. Times of Malta also reported that Wittmann said she informed the GGL and that the authority subsequently issued public warnings to The Mill Adventure, Solis Ortus Service Ltd and Cashpoint Malta Ltd in relation to the security flaw.
That kind of incident should sit squarely inside the reliability debate. If player protection is central to German regulation, then player data security cannot be treated as a secondary technology issue. A player whose identity, payment or gambling information is exposed has not been meaningfully protected, even if deposit limits and blocking systems exist on paper.
The important question is not whether one specific sanction should have been imposed. The question is why the public did not see a clearer licence-review discussion around reliability, supplier control and continuing suitability. If a smaller operator had been linked to a major player-data exposure and failed security obligations, would the regulatory tone have looked the same?
Supplier and platform risk cannot be separated from licensing
The supplier issue is one of Germany’s most important blind spots. Modern gambling operations are rarely simple. A licensed domain may rely on platform providers, game suppliers, payment processors, identity-verification tools, affiliate networks, hosting partners, safer-gambling software and data systems.
Germany’s own technical supervision model shows that the regulator understands this complexity. The GGL states that LUGAS is one of the mandatory IT supervision systems for legal gambling providers, with technical guidelines and test-system access available under the treaty framework. The GGL also explains that Safe Server is designed to evaluate data collected by gambling providers themselves, monitor compliance with regulatory requirements, prevent manipulation and support checks of early detection systems for gambling addiction.
That makes supplier oversight central to enforcement consistency. If the real operational risk sits with a platform provider, data system, payment chain or affiliate partner, enforcement that focuses only on the visible licence holder may miss the substance of the market. The player does not experience contractual distinctions between operator and supplier. The player sees one brand, one account, one payment process and one gambling offer.
This does not mean outsourcing should be punished. Many suppliers improve compliance, technology and security. But supplier failure should not become a hiding place for responsibility. If a licensed operator depends on third parties to run key parts of the gambling business, the regulator should make clear how supplier control affects licence reliability.
Tipico shows the major-brand question
Tipico raises a separate but connected issue. It is one of the most visible names in Germany’s regulated gambling market, and its position includes German-facing permissions as well as Schleswig-Holstein online casino activity. The GGL whitelist explains that it lists permitted gambling providers and also includes offers supervised by other German gambling authorities, not only the GGL itself.
The concern is not that Tipico should automatically fail Germany’s reliability test. That would be an unsupported conclusion. The stronger and safer question is whether the GGL and state authorities should explain more clearly how they assess litigation exposure, liquidity, group money movements, historic player claims and ongoing financial resilience when granting or maintaining permissions for a major operator.
The player-claims issue is real enough to require regulatory attention. The Court of Justice of the European Union has dealt with questions linked to claims by a German consumer against Tipico concerning stakes wagered and lost on Tipico’s German website before the current framework was fully operational, according to the Court’s March 2026 press release. That does not decide the licensing question, but it does sharpen the public-interest question around ongoing reliability.
Major brands should not be judged more harshly merely because they are major brands. But they should not be judged more gently either. A well-known name, high visibility or strong commercial position should never replace a transparent regulatory assessment of reliability and financial capability.
Black-market enforcement cannot excuse silence inside the legal market
The GGL has placed significant public emphasis on combating illegal gambling. Reporting on the GGL’s 2024 activity information said the authority identified 858 German-language illegal gambling websites operated by 212 operators, and estimated illegal German-language online market volume between €500 million and €600 million.
That work matters. Illegal gambling undermines player protection, tax revenue, licensed operators and the credibility of the legal market. The regulator is right to take black-market enforcement seriously.
But black-market enforcement cannot become a substitute for transparent supervision of licensed providers. A legal market does not become credible simply because illegal operators are targeted. It becomes credible when licensed operators are also held to clear, visible and consistent standards.
This is where Germany risks creating a two-level narrative. Against illegal operators, the language is firm, visible and enforcement-heavy. Against major licensed names facing serious issues, the public often sees less about licence-review logic, continuing reliability or supervisory consequences. That imbalance weakens the message that Germany is building a fair and coherent regulated market.
The whitelist is not enough
The GGL whitelist is useful. It helps players and partners see which providers are permitted under Germany’s regulatory framework and includes a note that some listed offers fall under other German gambling authorities rather than the GGL itself.
But a whitelist is not a full enforcement model. It shows licensing status at a point in time. It does not explain how the authority evaluates serious incidents after authorisation, how licence conditions are reviewed, how supplier failures affect reliability or how litigation exposure is assessed.
That distinction matters because many market participants treat whitelist status as a trust signal. Banks, advertisers, affiliates, sports partners, suppliers and players may all rely on it. If the list is not supported by visible post-licence supervision, it risks becoming a static reassurance rather than evidence of ongoing regulatory confidence.
Germany needs the whitelist to mean more than permission. It should mean that the operator remains subject to active, serious and even-handed oversight. If the regulator cannot explain how that oversight works in difficult cases, the list loses part of its credibility.
Selective enforcement damages the legal market
Selective enforcement does not always mean corruption, favouritism or bad faith. Sometimes it is simply the result of administrative caution, legal complexity, confidential procedures, limited resources or fragmented authority between the GGL and state-level bodies. Those realities are important and should not be ignored.
But the outcome can still be damaging. If operators cannot understand why some cases trigger heavy pressure and others produce quieter handling, confidence in the system declines. If the public cannot see the regulator’s reasoning, speculation fills the gap.
The regulated market needs predictability. Operators should know what happens when there is a data-security incident, a supplier failure, an ownership concern, a financial-capability question or a major litigation exposure. They should know whether those issues trigger licence review, additional reporting, public warnings, conditions, remediation plans or sanctions.
Without that predictability, enforcement becomes harder to distinguish from discretion. A market can tolerate strict rules. It cannot easily tolerate rules that appear strict only for some.
Our final thoughts and conclusion
Germany has built one of Europe’s most restrictive online gambling frameworks. It has reliability tests, ownership-disclosure requirements, financial-capability rules, LUGAS, Safe Server, limit files, activity files, a whitelist and a regulator that publicly focuses on player protection and illegal gambling enforcement. On paper, the system looks serious.
The unresolved problem is consistency. Bet3000, Merkur and The Mill Adventure, Tipico, suppliers, platforms, black-market enforcement and licence-review standards all point towards the same question. Does Germany apply enforcement pressure according to a clear model, or does the outcome depend too much on the operator’s size, profile, connections or market importance?
A credible regulator does not have to treat every case identically. Different facts should produce different outcomes. But a credible regulator must show the market that the same core questions are being asked every time.
Who controls the operation? Is the funding stable and lawful? Are players protected in practice? Are suppliers properly supervised? Are data systems secure? Are litigation risks understood? Can the business be monitored properly? And when something goes wrong, does the licence review process respond consistently?
That is the question Germany should not avoid as this regulatory week ends. Does the GGL have a consistent enforcement model, or does regulatory pressure depend too much on who the operator is?
FAQs
Why is Germany's gambling regulation being criticised?
Germany's gambling regulation is being questioned because some industry observers believe enforcement actions appear inconsistent between different licensed operators, raising concerns about fairness and transparency.
What is the role of the GGL in Germany?
The Joint Gambling Authority of the Federal States (GGL) regulates Germany's online gambling market, issues licences, monitors compliance, protects players and combats illegal gambling activities.
Why is enforcement consistency important in gambling?
Consistent enforcement ensures that every licensed operator is treated equally under the law, helping maintain market confidence, player trust and fair competition.
What does §4a GlüStV require from gambling operators?
Section 4a of the German State Treaty on Gambling requires operators to demonstrate reliability, financial stability, transparent ownership structures and effective operational controls before receiving a licence.
Why are data security incidents relevant to gambling regulation?
Operators handle sensitive customer information, including payment and identity data. Serious cybersecurity failures may affect player protection and could influence regulatory assessments of operator reliability.
How do third-party suppliers affect gambling compliance?
Many gambling operators rely on external technology providers, payment processors and platform suppliers. Regulators must ensure these partners also meet security and compliance standards.
What is Germany's gambling whitelist?
The whitelist is an official register of licensed gambling operators authorised to offer legal gambling services in Germany under the country's regulatory framework.
Why is black-market gambling still a concern?
Illegal gambling websites undermine licensed operators, reduce consumer protection and create unfair competition, making enforcement against unlicensed operators a key regulatory priority.
What is LUGAS?
LUGAS is Germany's mandatory technical monitoring system that helps regulators supervise licensed gambling operators and enforce responsible gambling requirements.
What is the main concern raised in the article?
The article questions whether Germany applies gambling enforcement consistently across all operators and argues that greater transparency would strengthen confidence in the regulated market.









































