Sweden Audits Its Founding Licensees

The audit letter nobody wants

Spelinspektionen, the Swedish Gambling Authority, has confirmed that four of the market's most recognizable names are going under the supervisory microscope. Hillside (Europe) ENC (bet365), Kaprifol Services Ltd (Unibet), Roar Vegas Ltd (LeoVegas) and Blue Star Planet Ltd (10bet) will all face checks on their compliance with the technical requirements set out in Chapter 16 of the Swedish Gambling Act.

The regulator was specific about what it will be looking at. Beyond the technical requirements themselves, Spelinspektionen will verify that each licensee holds valid and updated certificates from an accredited body. Under the authority's technical regulations (SIFS 2022:3), inspection, testing and certification protocols must be renewed at least every twelve months. Miss the renewal window and you are out of compliance, whether or not anything on your platform actually changed.

Notice who is on the list. These are not fringe operators testing the boundaries of the Swedish market. Unibet and LeoVegas were founded in Sweden. All four were in the first batch of licensees when the country moved from a monopoly to an open market in 2019. These are the veterans, the brands with the biggest compliance teams in the market, and they are being audited anyway.

And they are not alone. Spelinspektionen currently lists 15 other ongoing compliance investigations. Last month it issued an official warning to Oddit Limited, the parent of casumo.com, along with a SEK 1.2m fine, for repeatedly failing to report structural and ownership changes within the mandatory 14-day window.

From event-driven to calendar-driven enforcement

For years, the unspoken model of gambling enforcement was event-driven. A scandal broke, a complaint landed, a journalist found something, and the regulator reacted. If nothing surfaced, nothing happened. Compliance, in practice, meant not being the story.

What Sweden is doing here is different, and it matches a pattern visible across Europe this year. The KSA has published a 2026 agenda targeting the entire ecosystem around illegal gambling. Seven European regulators have committed to coordinated enforcement with a joint report due by December. And now Spelinspektionen is running scheduled, systematic checks on its largest licensees, not because anything went wrong, but because the calendar says it is time.

That is the shift that matters: enforcement is becoming routine, proactive and cyclical. The audit is no longer triggered by failure. The audit is the baseline.

Why this reaches the affiliate surface

Technical certification is an operator-side obligation, so it is tempting for affiliate and marketing teams to read this story and move on. That would be a mistake, for two reasons.

First, Sweden is the market that crystallized the doctrine now spreading everywhere: if you hold the licence, you own the marketing. Spelinspektionen has applied that principle to affiliate content for years, and regulators across Europe have adopted, formalized and strengthened it. When a Swedish auditor opens a file on a licensee, the public marketing footprint, including the affiliate footprint, is part of the picture they are allowed to look at.

Second, look at the logic of the certification rule itself. A protocol that was valid last year is not presumed valid today; it must be re-verified every twelve months. Now apply that same logic to an affiliate page. If a regulator does not accept a twelve-month-old certificate for a platform that barely changes, why would anyone accept a six-month-old screenshot as evidence that a bonus page, which changes weekly, is compliant?

• Affiliate pages update offers, banners and odds tables on a daily cadence
• Bonus terms drift out of sync with the operator's current offer
• Geo-targeting changes silently, exposing content to markets it was never reviewed for
• Old promotions linger in cached and syndicated copies long after they expire

A compliance posture built on point-in-time checks cannot describe a surface that moves this fast. Sweden's message to its biggest operators is that compliance is a continuous state, not a certificate on the wall. The affiliate channel is where that principle bites hardest, because it is the part of the footprint that changes most and is watched least.

What continuous evidence looks like

This is the gap kaspero was built to close. kaspero scans an operator's affiliate footprint the way a regulator audits a licensee: on a schedule, against the specific rulebook for each geo, and with evidence attached to every finding.

For a Swedish-facing brand, that means every affiliate page carrying your tracking links is rendered visually, the way a player sees it, and checked against the Swedish requirements: licensed-operator presentation, bonus restrictions, responsible gambling messaging, age signals. When something drifts, you get the flagged page, the specific rule, the screenshot and the timestamp. When the auditor arrives, you do not have a story, you have a file.

The operators on Spelinspektionen's list this month will spend weeks assembling documentation to prove their platforms do what they are certified to do. The ones who handle it well will be the ones who already had the records. That is the whole lesson, and it applies to the marketing chain just as much as the gaming engine.

The takeaway

Sweden did not announce a crackdown. It announced a routine, and routines are scarier. A regulator that audits bet365, Unibet, LeoVegas and 10bet on schedule, while running 15 parallel investigations and fining a major brand over a missed 14-day reporting window, is a regulator that has stopped waiting for things to go wrong.

Every market is converging on this posture. The practical question for operators is no longer whether your compliance holds up when something breaks. It is whether your evidence holds up when nothing has, and the auditor asks anyway.