Spelinspektionen has issued updated regulations standardising how licensed gambling operators in Sweden must technically connect to Spelpaus, the country’s national self-exclusion register, with the new rules taking effect from 1 August 2026.
The regulations were decided on 23 April and published on 29 April. They introduce mandatory credential-based authentication for all register queries and define separate API pathways for different check types, marking a more prescriptive approach to a system that has been in place since Sweden’s 2019 gambling reform.
What Changes for Operators
Each licence holder will receive a unique Actor ID and API Key under the new framework. These credentials must be used for every query to the self-exclusion register, and licence holders must ensure they are applied consistently across all checks.
Three distinct check requirements are now codified. Operators must verify a player’s self-exclusion status during new player registration, at each login attempt, and before sending any direct marketing communications. The rules also separate the technical pathways: marketing-related checks must use a dedicated marketing API, while registration and login checks must go through a distinct login API. A self-exclusion check is defined as complete only once it definitively confirms whether an individual is excluded or not.
For operators whose current integrations handle all Spelpaus queries through a single connection, the bifurcation of API pathways will require structural changes before the August deadline.
Outsourcing Does Not Transfer Liability
The regulations make clear that responsibility remains with the licence holder even when technical checks are delegated to third-party service providers. Licence holders must ensure their assigned Actor ID and API Key are in use at all times, regardless of how the technical function is structured or who performs it.
This is a meaningful clarification for operators relying on platform providers or B2B integration partners for their Spelpaus connectivity. The compliance obligation does not transfer with the technical work. Operators outsourcing to PAM providers or aggregators will need to confirm that their credentials, not a shared or generic key, are applied to every check made on their behalf.
Sweden’s broader regulatory approach to operator accountability has moved in this direction for some time. ATG’s difficulties in 2026, including management changes alongside revenue pressure, reflect the degree to which Swedish operators are navigating tighter conditions across compliance, taxation, and market performance simultaneously.
What the Regulations Do Not Yet Cover
The updated rules establish the overarching technical framework but stop short of specifying detailed API documentation, response formats, or service performance standards. For operators beginning integration planning, that gap leaves substantive questions unanswered. Spelinspektionen has not indicated when supplementary technical guidance will follow.
The absence of performance standards is notable. Without defined uptime, latency, or fallback requirements for the Spelpaus API, operators have no regulatory baseline against which to assess what happens if the register is unavailable during a login attempt or a marketing send.
Background: Spelpaus Since 2019
Spelpaus was introduced as part of Sweden’s gambling re-regulation in 2019, which moved the market to a licensing model and required all operators holding a Swedish licence to integrate the national self-exclusion register. Players can self-exclude for periods of one, three, or six months, or for 12 months or more.
The register was updated in 2023 to improve access to information on gambling problems and introduced an option for players to extend their exclusion period beyond the originally chosen timeframe.
Sweden’s licensed gambling market reported 0.5% revenue growth in Q3 2025, with online channels driving most of the performance. The country’s regulated market is mature, with relatively stable volumes, which puts the focus squarely on compliance infrastructure rather than growth dynamics.
Spelpaus drew public attention last year after a documentary series alleged the register had experienced a data breach. Spelinspektionen rejected the claims promptly and emphasised the technical safeguards in place.
“There is no information about whether the person who has excluded themselves is addicted to gambling or not,” a Spelinspektionen spokesperson said at the time, adding that all data held in the register is encrypted.
The episode underscored the sensitivity of self-exclusion data and the reputational risk attached to any perceived failure of the system, for the regulator and for operators alike.
Compliance Timeline and Context
With the rules effective from 1 August 2026, licensed operators have approximately three months to align their technical integrations with the new requirements. Given that detailed API specifications are not included in the published regulation, operators would be well placed to seek early engagement with Spelinspektionen rather than waiting for supplementary documentation to arrive.
The Spelpaus update fits a consistent pattern across Nordic markets. Regulatory fines across the region have demonstrated that enforcement is active and penalties are applied to operators of all sizes. The new Spelinspektionen rules are incremental rather than structural, but their implications for compliance and technical teams are direct. Operators that treat the August deadline as a firm technical delivery date, rather than a target, will be in a stronger position when Spelinspektionen begins assessing adherence.
Source: Spelinspektionen
