The European regulatory framework for digital business models is evolving – with significant implications for artificial intelligence (AI), data protection (GDPR), data law and reporting obligations in the event of cyber incidents. Under the banner of the “Digital Omnibus”, the EU aims to simplify rules, reduce duplication of obligations and facilitate innovation – without compromising core protection objectives. [1]
This is highly relevant for gambling providers in Europe: hardly any other industry combines so many sensitive issues within a single operating system, such as payment data, behavioural analysis, fraud prevention, responsible gambling/player protection, marketing personalisation and cross-border regulation. Those who organise AI and data protection compliance merely “as an afterthought” risk sanctions, licensing issues or even licence revocation and a loss of trust – those who manage it professionally turn compliance into a competitive advantage.
What does “Digital Omnibus” Mean in Practice – and Why Does it Affect AI and Data Protection Simultaneously?
The Digital Omnibus aims, among other things, at targeted adjustments and clarifications regarding the AI Act, GDPR, Data Act, ePrivacy/cookies, and the harmonisation of cyber reporting obligations. This creates new scope for iGaming providers – but also clearer expectations regarding governance, transparency and accountability.
Key areas that gambling providers should now factor into their plans:
- AI (AI Act): Implementation is to become more practical, whilst obligations remain – particularly regarding governance, standards, timelines and monitoring (depending on risk class).
- Data protection (GDPR): Greater clarity on pseudonymisation and the use of personal data for AI training (e.g. via ‘legitimate interests’), alongside a strengthened right to object and high transparency requirements.
- Cookies & Tracking (ePrivacy framework): Less ‘banner fatigue’ through simplified consent mechanisms and stronger centralised preference management – still subject to the GDPR framework and sanctions.
- Cyber reporting obligations: In the long term, a “single entry point” instead of multiple reports under overlapping regimes (including GDPR/NIS2) – important for incident workflows, roles and reporting.
In addition, DSA/DMA requirements also play a role in the digital regulatory mix (e.g., transparency, handling of data/algorithms, advertising/platform obligations) – particularly relevant for iGaming where personalisation, bonus logic or moderation/communication are concerned.
The iGaming Reality: AI Use Cases Triggering Data Protection Requirements – and Data Protection that Limits AI
Many AI applications in online gambling are not merely “nice to have” but core operations: fraud detection, risk scoring, player protection scoring, bonus optimisation, limit adjustments, personalised interventions. This is precisely where the AI Act, GDPR and Omnibus clarifications intersect: Data basis, purpose limitation, transparency, bias control, audit trails – everything must fit together.
Typical areas of conflict:
- Data minimisation vs. model quality: Robust data is required for the reliable detection of problematic gaming behaviour or fraud – the GDPR demands clear purposes, a legal basis and protective measures (e.g. pseudonymisation, access policies, logging).
- Transparency obligations vs. “black box” models: AI-supported decisions must be explainable and documentable (e.g. governance, reviews, monitoring, bias checks) – particularly in sensitive use cases.
- Data subjects’ rights (e.g. right to object) vs. personalisation: When players are addressed, categorised or restricted in a personalised manner, information obligations, opt-out/objection mechanisms and processes must function properly.
How We Support You: Managed Services for AI & Data Protection in the Omnibus Era
We offer a scalable managed services portfolio for iGaming that covers key roles and processes – including Data Protection Officers (DPOs), AI Compliance Officers, MLROs, AML/CFT, transaction monitoring, fraud/payment management, player protection/responsible gambling, internal audits and training. The aim is to outsource operational compliance without losing control – with measurable evidence for authorities and stakeholders.
Data Protection as a Managed Service: DPIA, DMS, Communication with Authorities, Breach Readiness
At Chevron, DPO/GDPR as a Service means: continuous support rather than one-off consultancy – including risk analyses, Data Protection Impact Assessments (DPIA) for AI-supported processes, setting up and operating a data protection management system, processes for data subject requests, and support in communicating with supervisory authorities.
Particularly valuable for gambling providers:
- Guidelines for data-intensive core processes (KYC, payments, fraud, RG, marketing)
- Robust technical and organisational measures (pseudonymisation, access control, logging, minimised data retention)
- Clear, player-friendly privacy notices including AI transparency statements
KI-Compliance Officer: AI-Act-Readiness, Governance, Dokumentation, Monitoring
The AI Compliance Officer supports operators in correctly classifying AI use cases under the AI Act, assessing risks and establishing an AI compliance management system – including responsibilities, documentation, audit trails, reporting and ongoing monitoring (e.g. bias/undesirable effects).
Focus on typical iGaming use cases:
- Fraud detection & transaction anomalies
- Responsible gambling scoring & interventions
- Bonus/marketing algorithms and fairness/transparency
Where appropriate, we support the use of regulatory sandboxes and simplified implementation frameworks, which are intended to be facilitated within the Omnibus context.
Integrated Operations: AML/CFT, Fraud, Payments amp; Responsible Gambling
The Digital Omnibus aims, among other things, to reduce duplicate obligations and harmonise governance. For iGaming, this means in practice: fewer silos between AML, Fraud, Payment Security and Player Protection – and greater “end-to-end” auditability. We support this with:
- Risk-based AML/CFT frameworks, transaction monitoring, reporting quality
- Integration of fraud/payment protection and compliance workflows
- 24/7 player protection operations with documented interventions and KPIs
Technology That Reduces Interfaces: MGT Aggregator, PowerComply, DashOne, Global Regulatory Gateway
Especially when regulation aims to “simplify”, interfaces and reporting become key success factors. We provide technology building blocks that reduce integration effort and enhance compliance controls:
- MGT Aggregator: modular API as a central interface (“one connection, full selection”)
- PowerComply: real-time monitoring of suspicious activities for anti-money laundering and gambling addiction prevention
- DashOne: central real-time dashboard for analysis and reporting
- Global Regulatory Gateway: access to regulatory databases (e.g. LUGAS “Safe Server”, CRUKS, DGOJ identification service)
Conclusion
The “Digital Omnibus” therefore brings regulatory simplifications for the iGaming industry, but at the same time increases the requirements for integrated, verifiable compliance structures. AI, data protection and cyber regulation are becoming increasingly intertwined – and require companies to adopt a holistic governance model rather than isolated individual measures.
For the online gambling market, this means in concrete terms: those who invest early in structured processes, clear responsibilities and scalable compliance solutions can reduce regulatory complexity whilst simultaneously strengthening trust among authorities and customers. Managed services are increasingly becoming a strategic lever for combining efficiency, legal certainty and the ability to innovate.
The next steps for companies should therefore be to review AI and data processes, centralise compliance governance, enhance transparency and documentation, and outsource operational implementation specifically where specialisation and scale offer decisive advantages. In this way, compliance becomes not just an obligation, but a sustainable competitive advantage.