The EU 6AMLD Restructure: What the 2024 AML Package Means for iGaming Operators
The EU’s sixth Anti-Money Laundering Directive, formally Directive 2024/1640, represents the most consequential restructuring of European AML supervision in over a decade. Adopted alongside the directly-applicable AML Regulation and the regulation establishing the new Anti-Money Laundering Authority, the directive shifts the centre of gravity in EU AML compliance away from individual member-state transposition and toward harmonised supervision under a centralised authority. For iGaming operators serving EU markets, the implications stretch well beyond the technical changes in obligation and touch the operational structure of compliance functions themselves.
What the Directive Actually Restructures
The previous AML directives operated through transposition, with member states adapting EU-level principles to their national legal frameworks. The result was a regime that nominally harmonised AML supervision across the EU but in practice produced substantial divergence in how rules were applied, what evidence regulators expected, and how operators serving multiple markets needed to structure their compliance operations. The 2024 package responds to that divergence by placing the core obligations in a directly-applicable Regulation that does not require national transposition, while reserving the Directive for the institutional and procedural elements that necessarily vary by member state.
The text of Directive 2024/1640 defines the institutional architecture for member-state supervision, the mechanisms for cooperation between national Financial Intelligence Units, the structure of beneficial-ownership registers, the access regime for those registers, and the procedural framework within which national supervisors operate. The substantive AML obligations on operators themselves, including customer due diligence, ongoing monitoring, reporting, and record-keeping, sit in the Regulation rather than the Directive, which means they apply uniformly across member states without national variation.
The AML Authority and the Direct-Supervision Tier
The most structurally significant change in the 2024 package is the establishment of AMLA, the Anti-Money Laundering Authority, with direct supervisory powers over selected high-risk obliged entities from 2027. The authority’s role replaces the previous model in which EU-level coordination operated through the European Banking Authority but actual supervision remained entirely at the national level. AMLA selects a subset of obliged entities for direct supervision based on cross-border activity and risk profile, while the remaining majority continue to be supervised by their national competent authorities under AMLA’s coordination.

For iGaming operators serving multiple EU markets, the question of whether their group will fall within AMLA’s direct-supervision tier is operationally significant. Direct supervision means a single supervisor with cross-jurisdictional view, removing the historical pattern in which an operator could face inconsistent expectations from supervisors in each of its licensed markets. It also means a supervisor with substantial technical capacity and access to the cooperation networks of national FIUs, which raises the practical bar for compliance posture. Operators outside the direct-supervision tier remain under national supervision, but with AMLA setting harmonised methodology and conducting peer reviews that constrain how much national supervisors can diverge.
The Risk-Based Approach in the New Framework
The risk-based approach has been the central organising principle of EU AML regulation since the third directive, and the 2024 package both reaffirms and operationalises it more rigorously. Obliged entities continue to assess and respond to money-laundering and terrorist-financing risks proportionate to their business activity, customer base, and geographical exposure. What changes is the level of detail in the supervisory expectation around how those risk assessments are conducted, documented, and acted upon.
The supervisory guidance that AMLA inherits and extends from the predecessor European Banking Authority workstream sets out the technical expectations for risk assessment methodology. The guidance covers the factors that need to be weighed in customer risk scoring, the triggers that elevate a customer to enhanced due diligence, the patterns that warrant transaction monitoring escalation, and the documentation that must support each of those decisions in an audit trail. For iGaming operators, the granularity of this guidance has direct implications for compliance system design, particularly around the automation of risk scoring and the maintenance of audit-ready evidence trails.
Beneficial Ownership and the Transparency Push
One of the more contested elements of the 2024 package is the treatment of beneficial-ownership registers and public access to them. The Court of Justice of the EU ruling in 2022 restricted public access to beneficial-ownership data on data-protection grounds, and the new directive responds by establishing a more structured access regime that distinguishes between competent authorities, obliged entities with a legitimate compliance purpose, and other categories with potentially more limited access. The registers themselves are harmonised across member states in terms of data captured and update obligations, with the European Central Platform interconnecting them.
For iGaming operators, beneficial-ownership data is most relevant in two contexts. The first is the verification of corporate customers, such as affiliate companies, payment processors, and white-label arrangements, where understanding the ultimate beneficial owner is essential to risk assessment. The second is operator self-reporting, where the operator’s own beneficial ownership and that of its corporate group must be accurately registered and kept current. The directive tightens the obligations in both contexts, with enhanced penalties for inaccurate or out-of-date filings and clearer procedural mechanisms for cross-border verification.
Transition Timing and What Operators Need to Be Doing Now
The application date for the Regulation is July 2027, with member states required to transpose the Directive by the same date. The intervening period is not slack time. The operational implications of the new framework are sufficiently substantial that operators relying on a last-minute compliance scramble will find themselves with systems that pass initial inspection but fail under sustained supervisory scrutiny. The operators making serious progress in 2026 are working through gap analyses against the new requirements, scoping changes to their KYC orchestration, monitoring methodology, and reporting infrastructure, and planning the data-migration work that supports the new beneficial-ownership reporting structure.
The compliance officer role itself is also expected to receive more granular regulatory definition, with the directive specifying responsibilities, governance position, and qualification expectations more concretely than the previous regime. For iGaming operators, this means that the compliance function needs to be positioned within the corporate governance structure in a way that supports the regulatory expectations, with reporting lines, independence safeguards, and resource allocation visible to supervisors. Operators that have historically run lean compliance functions, with limited senior representation, will find the new expectations more demanding to satisfy.
The Cross-Border Dimension
The harmonisation of substantive obligations across EU markets reduces but does not eliminate the cross-border complexity of operating across multiple jurisdictions. Member states retain discretion over how they organise their national supervisory authorities, how those authorities cooperate with other national agencies such as gambling regulators, and how enforcement actions are structured. Operators serving multiple EU markets still face multiple supervisory relationships, but the substantive content of what those supervisors expect should converge substantially under the new framework.
The interaction between AML supervision and gambling regulation is one of the areas where convergence will be less complete. AMLA and the gambling regulators in each member state operate under different mandates, and the coordination between them is not yet fully developed. Operators with mature compliance functions are increasingly building integrated AML and gambling-compliance teams to address overlapping requirements coherently, but the underlying regulatory architecture continues to treat them as separate streams. How that interaction matures over the next several years will shape the operational compliance burden in EU markets meaningfully, and the operators that participate constructively in the developing supervisory dialogue will be better positioned than those that wait for prescriptive guidance. The broader licensing context that interacts with AML obligations is something we have examined in our comparison of major iGaming licensing frameworks.

