The biggest fine the Dutch gambling regulator has ever issued landed in March 2026. The number was the story everyone shared. The reasoning behind the number is the part that should change how grey-market operators think about their stack.

Novatech, an offshore operator, was fined EUR 24,846,000 by the Kansspelautoriteit. A second operator, Fortaprime SRL, was fined EUR 1,795,000 in the same enforcement wave. The KSA said the headline number was constrained by the statutory cap of 10 per cent of global turnover. Without the cap, the regulator estimated the appropriate penalty would have exceeded EUR 100 million.

That cap is itself becoming a political target. The Dutch government has been lobbied by the regulator to remove or substantially raise it. If that change passes, the next major enforcement action against an unlicensed operator could land in nine figures.

What KSA actually penalised

The fine was not just for operating without a Dutch licence. The published reasoning identifies three discrete findings, and the second one is the one that matters most for the broader market.

First, Novatech accepted Dutch players without holding a Dutch licence. This is the headline offence. It is also the most predictable one. Any unlicensed operator in any regulated market is exposed to the same charge.

Second, the platform accepted cryptocurrency payments from Dutch players. KSA did not treat this as a payment-method choice. The regulator framed it as deliberate circumvention. Crypto, in the regulator's view, was a tool to make the unlicensed business harder to track, harder to shut down at the payment rail, and easier to operate from outside the jurisdiction. The framing is what shifts the precedent.

Third, the platform lacked visible age verification. This added a player-protection layer to the AML and licensing failures and made the conduct look indifferent to local consumer law.

Each finding is a separate compliance failure. The fine reflects all three. The KSA's reasoning makes clear that an operator running grey but with strong KYC, fiat payment rails, and visible age gates would have faced a different fine. Probably still a large one. But a different one.

Why the crypto framing changes the calculus

Until this month, the standard grey-market posture in Europe was something like "we operate without a licence, we accept whatever payment methods our customers want, and we manage the regulatory risk through legal entity structure and geographic dispersion." Crypto was a feature, not a liability. It reduced chargeback exposure, simplified payment processing, and let operators avoid the documentation overhead of card processing.

KSA's framing changes that. Crypto is now, in the eyes of at least one significant European regulator, evidence of intent to circumvent. That evidence increases the moral severity of the offence and supports a larger fine.

If the framing spreads, and there is no reason to think it will not, the calculation for grey-market operators looks different. The grey-market business model has always traded regulatory risk for cost savings. The trade was: skip the licence fees, skip the compliance overhead, accept some enforcement risk. The new framing increases the enforcement risk weighting in that trade. Crypto stacks now carry a multiplier.

What licensed operators should do

Three things, in this order.

First, audit your geographic targeting. Every European regulator with a domestic licensing regime is now actively scanning for unlicensed inbound traffic. Geo-blocking that depends on player declared country is not enough. The regulator can and will check IP, device, and payment origin. If your geo-blocking is soft, fix it before someone else fixes it for you.

Second, audit your payment stack. Even licensed operators run mixed payment rails. If you accept crypto in markets where you hold no licence and the geo-block can be bypassed, you are exposed to the Novatech-style framing even though you hold a licence somewhere. Crypto is not a problem in itself. Crypto into a market you cannot legally serve is the problem.

Third, audit your age verification to ensure it does what it is supposed to do. The KSA enforcement framing treats missing age verification as an aggravating factor in the fine calculation. If your KYC tier-up is not strict on age, as it should be, that is now a material risk.

What grey-market operators should think about

The honest answer is harder. Grey-market operation has been a viable strategy for years. The Novatech case does not make it suddenly unviable. It changes the economics.

A grey-market operator running a crypto-first stack and serving European players is now in the highest enforcement-risk category. The Dutch fine sets a precedent that will be cited in Belgian, German, French, Italian, and Spanish enforcement decisions. The number itself is not the deterrent. The framing is. Once a regulator can argue that crypto is evidence of intent, the fine ceiling moves up.

If you are operating grey today and your strategy has always been "I will get licensed when I have to", that moment is now. The 2026 enforcement calendar across Europe shows coordinated action through Q2 and Q3. Application queues at credible licensing authorities have already lengthened from weeks to months. By Q4 the queue will be longer still.

The cost of being licensed in a low-cost jurisdiction is around EUR 27,000 to EUR 41,000 in Year 1 across Anjouan and Nevis. The cost of being unlicensed is now, demonstrably, EUR 24.8 million on the high end and rising. The math is not subtle.


What this case may become precedent for

Three other enforcement angles are likely to follow Novatech in the next 12 months.

The first is the formalisation of crypto-as-circumvention as a regulatory doctrine. Other European regulators will adopt the framing because it is useful to them. The German regulator, the Belgian regulator, and the French ANJ all have the same enforcement problem and the same toolkit. KSA went first. The others will follow.

The second is the expansion of cross-border information sharing. European regulators have been quietly building cooperation agreements through 2025. Novatech is the first major case where that infrastructure shows up in the public record. Expect the next wave of fines to involve operators flagged by one regulator and sanctioned by another.

The third is the payment-processor crackdown. Major card networks and PSPs have been tightening underwriting on iGaming for two years. Novatech will accelerate that. PSPs do not want to be the next one in front of a regulator explaining why they processed payments for an unlicensed operator. The pressure will be transmitted upstream to operators in the form of stricter MID applications, lower volumes, and faster terminations on suspicion.

The window is closing on grey operations

I have written before that the grey-market business model is being squeezed from three sides at once: the regulator, the payment rail, and the affiliate market. Novatech is the regulator side of that squeeze landing harder than anyone expected.

The window for getting licensed cleanly is still open in 2026. Anjouan applications take 4 to 8 weeks. Nevis takes 8 to 12. Even Curacao, which used to take six months, is now running closer to four under the LOK framework. None of these timelines will improve as queues lengthen through the rest of the year.

If you are running grey today and you have been waiting for the right moment to regularise, the moment is now. The math has changed.

If you want a fixed quote for any of the four jurisdictions we cover, tell us your situation. Recommended jurisdiction, fixed price, realistic timeline. Within 24 hours.