Obtaining a Curaçao gaming license now means navigating the most consequential regulatory transformation in the jurisdiction’s 25-year history as an iGaming hub. The legacy master-license and sub-license architecture has been dismantled outright, and the bar for operators — including the technical infrastructure underpinning their platforms — has risen accordingly. What follows is a current-state overview of the regulatory landscape and a practitioner’s look at the iGaming Hosting considerations that actually bear on the readiness of any Curaçao iGaming license application.
This article is provided for informational purposes and does not constitute legal advice. Final determination of compliance rests exclusively with the Curaçao Gaming Authority (CGA) as part of its licensing procedure.
From GCB to CGA: Clearing Up a Persistent Misconception
For years, industry commentary treated the Curaçao Gaming Control Board (GCB) and the Curaçao Gaming Authority (CGA) as two distinct bodies operating in parallel. That characterization is inaccurate and increasingly outdated — and it matters, because anyone researching a Curaçao online gaming license today needs to be working from the current institutional map, not a legacy one.
- The GCB was reconstituted as the CGA — a single institution that underwent a change in mandate and legal standing, not two competing regulators.
- On 24 December 2024, the National Ordinance on Games of Chance (Landsverordening op de Kansspelen, “LOK”) entered into force, superseding the 1993 Offshore Games Ordinance in its entirety.
- The four-master-license sub-licensing model has been abolished: all sub-licenses expired by 31 January 2025.
- As of mid-2025, the CGA has explicitly prohibited Curaçao-registered entities from operating under foreign licenses (Anjouan, Kahnawake, Tobique, and similar) — a CGA-issued license is now the sole legitimate authorization for locally registered operators.
Reform Timeline
| Date | Milestone |
|---|---|
| 17 July 2023 | New licensing regime formally announced |
| November 2023 | Applications opened under the incoming framework |
| May 2024 | Updated AML/CFT/CFP regulations introduced |
| 24 December 2024 | LOK enters into force; application portal temporarily suspended |
| 31 January 2025 | All legacy sub-licenses expire |
| March–June 2025 | Applications reopen (B2C in March, B2B in May/June) |
| July 2025 | Foreign-license prohibition for Curaçao-registered entities takes effect |
The regulator is still operationalizing several aspects of the new regime, and procedural details — processing timelines, fee schedules, documentation depth — remain subject to refinement. Operators preparing an application are well advised to verify current requirements directly against the CGA’s official portal rather than relying solely on secondary commentary.
How Licensing Is Structured Under the LOK
A Curaçao gaming license is no longer a one-size-fits-all authorization. The new framework distinguishes licenses by function:
- B2C license — for operators offering games of chance directly to end users.
- B2B license (Critical Supplier) — for providers of critical services or goods (platforms, RNG engines, payment infrastructure, etc.) that are themselves incorporated in Curaçao. Notably, critical suppliers incorporated outside Curaçao are not required to hold a CGA license.
The application process runs in two sequential phases, each nominally around eight weeks with a possible four-week extension:
- Phase 1 — vetting of Ultimate Beneficial Owners (UBO threshold: 10% equity or greater) and key persons, covering financial standing, integrity, and due diligence.
- Phase 2 — assessment of remaining requirements: corporate structure, AML/CFT policy, technical documentation, RNG certification, and operational readiness of the platform.
The LOK also introduces an economic substance requirement: a genuine Curaçao-registered legal entity, a physical office, and a minimum complement of Curaçao-resident staff or directors. This has direct implications for how operators architect and manage their infrastructure footprint.
Infrastructure and Regulatory Expectations: Separating Substance from Marketing
Holding a Curaçao gambling license is only half the equation — the CGA does not publish a prescriptive data-center specification as a hard licensing condition, but it does scrutinize an operator’s demonstrable capacity to preserve transactional integrity, ensure business continuity, and support audit access on demand. In practice, infrastructure decisions should be evaluated against these underlying principles rather than against vendor claims of formal “Tier” mandates.
Continuity and Fault Tolerance
The regulator’s interest lies not in a specific data-center certification per se, but in an operator’s ability to avoid transaction data loss and evidence that resilience during an audit. Sound practice for operators seeking to de-risk this area includes:
- Redundant power and connectivity paths engineered to eliminate single points of failure
- Real-time availability monitoring with a retained incident history
- A documented, testable escalation procedure for outages
Claims that “Tier IV is mandated by the regulator” are not substantiated in publicly available regulatory text — Tier classification is an Uptime Institute industry standard, not a direct LOK requirement. When evaluating providers, request the specific certificate and its issue date rather than accepting general assurances at face value.
Gaming Transaction Log (GTL) Integrity and Accessibility
Auditability is a structural pillar of the LOK regime. A pragmatic approach includes:
- Storing transaction logs in a format that supports rapid extraction on regulatory request
- Minimizing the interval between an event and its capture in the logging system (near-real-time capture rather than daily batch processing)
- Enforcing role-based access control (RBAC) over logs to preclude retroactive tampering
Backup and Disaster Recovery
Industry-standard practices that reduce both audit risk and operational risk include:
- Encryption of data at rest and in transit (AES-256 is the prevailing industry baseline)
- Isolation of backup environments from production (air-gapped or logically segregated storage)
- A documented rotation and retention schedule with verifiable integrity checks
The Solution: Our infrastructure platform integrates automated, enterprise-grade encrypted (AES-256) backup pipelines out of the box. We build fully compliant, resilient architectures that optimize your Disaster Recovery strategy, ensuring these environments are completely isolated (logically segregated and air-gapped) from the primary production environment and run on verified rotation schedules that fully satisfy CGA data retention expectations.
Data Localization
Current regulation does not require that an operator’s entire infrastructure be physically hosted in Curaçao. What the CGA does expect is timely, unobstructed access to critical data — chiefly transactional and AML-related records — without excessive intermediary delay. Many operators address this by maintaining a replica of critical data within reach of the regulator, or by establishing contractual and technical mechanisms that guarantee prompt access during an audit, irrespective of where the primary environment is hosted.
Evaluating an Infrastructure Partner: A Practical Checklist
When assessing a hosting or infrastructure provider in the context of a CGA gaming license application, the priority should be verifiable artifacts rather than promotional language:
- A current data-center tier certificate, complete with reference number and issue date — not a bare assertion of “Tier IV”
- Documented RPO/RTO figures for mission-critical systems (transaction logs, payment data)
- A concrete encryption policy — algorithm, key custody, and access governance
- A substantive SLA with measurable metrics and penalty clauses, not a blanket “guaranteed uptime” claim
- A demonstrated ability to produce log extracts in a format acceptable to a CGA auditor, with a realistic turnaround estimate
- Independent third-party certifications (ISO 27001, SOC 2, etc.) rather than self-attested compliance
- References from operators who have already been licensed while using the provider’s infrastructure
Frequently Asked Questions
No. Current regulation does not mandate that the entirety of an operator’s infrastructure reside on the island. The practical expectation is timely, verifiable access to critical data — particularly transaction and AML records — for regulatory purposes. Many operators satisfy this through a local or regionally accessible data replica rather than a full on-island deployment.
No. All sub-licenses issued under the legacy master-license system expired by 31 January 2025. Operating under an expired sub-license, or under a foreign license while incorporated in Curaçao, is treated by the CGA as unauthorized operation and carries legal exposure. A direct Curaçao gaming license application through the CGA is the only path forward.
It depends on your business model. A B2C license applies if you offer games of chance directly to players. A B2B (Critical Supplier) license applies if you provide platform, RNG, payment, or similar critical infrastructure services and your entity is incorporated in Curaçao. If your supplier entity is incorporated outside Curaçao, a CGA license for that entity is generally not required — though your operator counterparty’s obligations remain unaffected.
Securing a Curaçao gaming license proceeds in two phases, each nominally around eight weeks with a possible four-week extension — roughly 16 to 24 weeks end-to-end under normal circumstances. Timelines are sensitive to documentation quality and UBO complexity; incomplete submissions are the most common source of delay. For current processing guidance and application forms, consult the official CGA licensing portal.
No single certification guarantees licensing success. A Tier IV rating addresses facility-level fault tolerance, but auditors are equally concerned with log accessibility, encryption governance, and demonstrable incident-response procedures. Infrastructure choices should be assessed holistically against the checklist in Section 4, not on the strength of one certification alone.
License Type Comparison at a Glance
| Consideration | B2C License | B2B License (Critical Supplier) |
|---|---|---|
| Who it applies to | Operators offering games directly to players | Providers of critical services/goods incorporated in Curaçao |
| Foreign-incorporated equivalents | Not applicable — must be Curaçao-incorporated to operate from/in Curaçao | Not required if the supplier is incorporated outside Curaçao |
| Core review focus | Player protection, AML/CFT, platform integrity, RNG certification | Service reliability, data handling, contractual accountability to licensed operators |
| Typical review structure | Two phases: UBO/key-person vetting, then full compliance review | Same two-phase structure, weighted toward technical/operational documentation |
| Infrastructure emphasis | Transaction logging, player data protection, backup integrity | Uptime commitments to operator clients, audit-log accessibility, data segregation between clients |
Conclusion
The LOK reform has made the process of securing a Curaçao gaming license considerably more demanding — but also more predictable: less room for interpretive flexibility, and clearer rules of engagement. For operators, this means infrastructure decisions should be grounded in verifiable technical and contractual parameters — certificates, SLAs, concrete log-access procedures — rather than in generic assurances of “full compliance.” The final assessment of readiness rests, as ever, with the CGA itself under its two-phase licensing procedure.
This article reflects publicly available information as of mid-2026. The regulatory framework continues to evolve; applicants should verify current requirements against the CGA’s official portal before submission -> https://portal.gamingcontrolcuracao.org/





