Brazil Is About to Require Supplier Licensing. The Incorporation Deadline Is Already Running.

The SPA has opened a public consultation on a draft Ordinance that would make supplier recognition mandatory for any B2B company providing services to licensed Brazilian operators. If enacted as written, this does not merely add a compliance step; it restructures the conditions under which B2B commercial relationships in the Brazilian market are legally permissible. The consultation closes March 23, 2026. But the constraint that cannot be reversed by reading the final text is already in motion: suppliers without a Brazilian legal entity who wait for the Ordinance to be finalised before beginning incorporation have already made a decision that costs them 6–12 weeks regardless of what the final text says.

For two years, Brazil's licensed betting market treated B2B supplier relationships as an operator compliance matter. The SPA has now moved to change that, opening a public consultation on February 4 on a draft Ordinance that would require suppliers to obtain direct regulatory recognition from the SPA itself, making the supplier relationship a direct regulatory obligation for the first time. The window to shape those rules closes March 23. The incorporation deadline is already running.

Submit a contribution: Brasil Participativo — SPA B2B Supplier Consultation — open until March 23, 2026.

What the Draft Ordinance Actually Proposes

The draft establishes a mandatory recognition regime covering five defined service categories across two distinct commercial layers. Understanding which layer a supplier operates in determines both the compliance timeline and the switching cost calculus for their operator customers , and those two things drive different commercial consequences.

The infrastructure layer covers betting systems and betting platforms: core bet processing and settlement infrastructure, and the front-end and back-end technology through which operators present product to bettors. For suppliers providing a betting engine or platform that multiple operators deploy under their own brands, recognition applies to the component itself, not each individual operator deployment. PAM providers are the category most likely to be in scope twice: the platform layer and the betting system layer frequently coexist in a single PAM architecture. The draft Ordinance is silent on how sub-licensing relationships within a recognised supplier's stack are treated: a PAM that sub-licenses a third-party betting engine or game content may carry recognition obligations on behalf of components it does not own. This is the structural ambiguity most likely to generate legal submissions during the consultation, and it has not been addressed in any law firm alert published to date.

The service layer covers online games (including aggregators and live game studios), KYC and player identification services (qualification, risk classification, biometrics, geolocation), and data and statistics for sports betting systems. Aggregators are explicitly named alongside live studios, meaning a supplier distributing third-party content to Brazilian operators is in scope, not just the studio producing it. Suppliers who hold existing GLI technical certifications for the Brazilian market should note that technical certification by an accredited lab and operational capacity recognition by the SPA are separate steps operating under separate frameworks. The February 2026 draft Ordinance introduces the second one. Art. 29 confirms the boundary explicitly: technical certifications against the existing standards framework remain the operator's obligation, not the supplier's. What recognition adds is a distinct, supplier-facing compliance requirement, one that a technical certification does not substitute for and does not accelerate.

Recognition will be granted by individual SPA Ordinance for a period of three years, subject to renewal. The approval process mirrors the operator authorisation framework: corporate documents, technical capacity statements, certificates of legal eligibility, suitability, and tax and labour compliance.

Renewal carries its own compliance clock. Under Art. 19, renewal applications must be filed at least six months before expiry. Operators may maintain contracts with a supplier during a pending renewal, but only if that application was filed within the six-month window. A supplier that misses the advance filing deadline loses the protection of the transitional arrangement. Recognition is not a one-time compliance event. Both suppliers and their operator customers need to track it as a recurring obligation with a fixed expiry, and operators who rely on suppliers without contractual provisions requiring advance notice of renewal status are carrying a risk they have not priced.

The draft goes beyond requiring a local contact. Suppliers must establish a full legal entity in line with Brazilian law, headquartered and operated in Brazil. All contracts with operators must be executed in Portuguese. This is a structural corporate requirement, and the harder, earlier deadline in this entire process. Entity incorporation in Brazil typically takes 6–12 weeks minimum depending on corporate structure. A supplier without an existing Brazilian entity that waits for the final Ordinance text before beginning incorporation has already conceded that runway, regardless of when the formal deadline is set.

One structural provision absent from every published law firm analysis reviewed for this piece. Art. 6 of the draft imposes additional obligations on suppliers that are in the same economic group as a licensed operator, meaning suppliers and operators that share common ownership or control. Where that relationship exists, the draft requires operational segregation between the supplier's activities serving its affiliated operator and its activities serving other operators. For holding companies that own both a licensed Brazilian operator and a technology provider (a structure that exists in this market) the recognition framework does not sit cleanly in either the operator licensing stream or the standard supplier recognition stream. It creates a third compliance architecture that interacts with both. Legal counsel advising vertically integrated groups will need to assess both the segregation requirements and whether the recognition application itself needs to disclose the affiliated operator relationship in a way that triggers additional SPA scrutiny. This is absent from every published law firm analysis reviewed for this piece.

Art. 5(VI) contains a provision absent from every law firm alert reviewed for this piece, and it materially changes the commercial dynamic between recognised suppliers and their operator customers. Recognised suppliers are required to notify the SPA within 48 hours of becoming aware that an operator customer is using their service in a manner inconsistent with applicable legal and regulatory requirements. This creates mandatory disclosure obligations running from supplier to regulator, against the supplier's own commercial customers. The obligation is not limited to obvious illegality: it covers any use of the service that does not comply with the fixed-odds betting regulatory framework. A supplier that becomes aware of operator conduct suggesting non-compliance and does not report it within 48 hours is itself in breach of its recognition conditions.

What no law firm alert has yet addressed is the contractual conflict this creates. Most B2B agreements in this market contain confidentiality provisions that prohibit disclosure of information about the counterparty's operations without consent. A recognised supplier who becomes aware of operator conduct triggering the 48-hour reporting obligation may simultaneously face a regulatory obligation to disclose and a contractual obligation not to. These provisions can conflict, and the draft Ordinance contains no carve-out resolving which prevails. Suppliers need a specific legal assessment of their existing contract templates against Art. 5(VI) before submitting a recognition application, not after receiving their first notification obligation.

Sources: Draft Ordinance via Brasil Participativo (SPA public consultation, open February 4 – March 23, 2026); FAS Advogados client alert, February 5, 2026; Mattos Filho client alert, February 2026.

The Transitional Mechanism and Its Structural Risks

The draft provides a transitional regime under which operators may maintain or enter into contracts with suppliers whose registration and recognition applications have been duly filed and accepted by SPA. Suppliers currently providing services to Brazilian operators are not immediately in breach, but the clock is running.

Once the transitional period ends, the provision of regulated services will only be permitted after the issuance of a formal SPA recognition Ordinance. Suppliers who have not initiated the process before that deadline face effective exclusion from the Brazilian supply chain: not a compliance violation in their home jurisdiction, but an inability to contract with licensed operators.

Both FAS Advogados and Mattos Filho confirm that a transitional period exists in the draft, described as allowing suppliers to continue being contracted "as they adapt to the new obligations, subject to specific criteria and timeframes." The critical detail: those criteria and timeframes are not set in the draft itself. They will be established in the final Ordinance, after the consultation closes on March 23. The SPA has deliberately left the window duration as a variable to be determined once it has reviewed industry submissions.

The draft establishes 120-day wind-down periods in three distinct scenarios, not a single grace period. Art. 21 applies when a supplier's recognition is cancelled following an SPA decision. Art. 26 applies when a supplier fails to submit a valid registration application during the transitional window. Art. 28 applies when a recognition application is finally denied following exhaustion of all administrative appeals. These are separate triggers with separate start dates. Operators carrying multiple suppliers in borderline status could find themselves managing simultaneous wind-down timelines across different service categories, each tied to a different regulatory event.

The appeal timeline compounds this. Under Arts. 16–17, a supplier denied recognition has 15 days to file an appeal, after which the SPA has 5 working days for initial reconsideration, a further 15 days to escalate to the superior authority, and 5 working days for the final decision. A fully contested denial may take 40 or more working days before it becomes final, and the Art. 28 wind-down clock does not start until that final administrative decision is issued. For operators managing a supplier whose application has been denied and is under appeal, the 120-day wind-down period is not the operational planning horizon. The appeal timeline is.

The staggered opening dates by service category create an additional variable. Registration and recognition windows do not open simultaneously across all five service types: betting systems suppliers face the most immediate clock, while data providers have the longest runway before their window opens.

Note: The deadline indicated refers to the opening of the period for filing petitions. The final deadline is the same for all service types. Source: Draft Ordinance, Annex V (SPA public consultation, February 2026).

The most operationally damaging scenario in this entire framework is SPA processing failure, and the draft does not address it. If the recognition queue runs past the transitional deadline, whether due to lab capacity constraints, administrative backlog, or a high volume of contested applications, licensed operators will face a legal prohibition on using suppliers whose applications are pending through no failure of their own. The draft contains no force majeure provision, no automatic extension mechanism tied to processing delay, and no liability framework for operators caught in a regulatory bottleneck they cannot control. Brazil's regulatory execution track record over its first year, including certification delays, mid-year licence suspensions and multiple ordinance amendments, does not establish the SPA as a regulator with demonstrated capacity to process high-volume, technically complex applications at speed. The Art. 27(8) priority provision, which gives processing priority to direct applications over transitional-period applications, makes queue position a commercial variable, not just an administrative one.

There is also a structural question about the SPA's stated rationale that deserves scrutiny. The April 2025 regulatory agenda frames this framework partly as a tool for combating the black market by formalising and controlling the supply chain. The logic has a gap: if unlicensed operators are accessing the same supplier stack as licensed ones, supplier recognition does not close that channel; it formalises who is permitted to supply licensed operators. Unlicensed operators will continue using unrecognised suppliers by definition, and those relationships sit outside the SPA's enforcement reach regardless of this framework. Recognition is a licensed-market compliance architecture. Its black market rationale is weaker than the SPA's framing implies.

The Mutual Recognition Gap

The draft Ordinance does not incorporate regulatory reliance mechanisms for suppliers already certified or authorised in mature betting jurisdictions. A supplier holding GLI certification, BMM testing approvals, an MGA-recognised supplier registration, or UKGC compliance status would, under the current draft, be required to undergo a full Brazil-specific recognition process regardless of their existing compliance standing.

FAS Advogados flagged this explicitly as an area requiring improvement, identifying "considering mechanisms for regulatory reliance for suppliers already certified or authorised in mature betting jurisdictions" as a concrete contribution the consultation should address. This is a call for the SPA to adopt such mechanisms, not confirmation they already exist.

The GLI-GSF framework adopted for the Brazilian market does reference international standards including the Center for Internet Security's Critical Security Controls, and GLI's published standards include provisions for recognising controls from other evaluated frameworks. In principle, a supplier audited against these standards in another jurisdiction could undergo a gap analysis rather than full re-certification. But this is GLI's standards architecture, not an SPA policy commitment, and the SPA has made no signal that it intends to adopt it.

The commercial stakes are concrete. Legal fees for the full recognition engagement , covering entity incorporation, SPA submission preparation and ongoing correspondence, are likely to run from €80,000 upward before any staffing or operational costs. If the SPA adopts a regulatory reliance pathway, suppliers with MGA, GLI, or UKGC standing may face a materially shorter and cheaper process. If it does not, full incorporation is the price of admission for every supplier regardless of existing compliance posture.

March 23 is the last point at which this outcome can be influenced , not the point at which it will be resolved. The SPA may decline to adopt regulatory reliance in the final text regardless of what submissions argue. Suppliers banking on that outcome before beginning incorporation are making a bet on a regulator that has shown limited appetite for expedient processing. The prudent position is to plan for both outcomes simultaneously: file a submission arguing for reliance, and begin incorporation as if the submission will fail.

What This Means for Operators

The operator implication is structural and has received almost no coverage in the English-language trade press. Once the recognition regime is in force, licensed Brazilian operators will only be permitted to engage suppliers whose operational capacity has been formally recognised by SPA through an individual Ordinance. The legal risk of non-compliance sits with the operator, not the supplier.

The SPA's willingness to enforce is not theoretical. It suspended four operators in early 2025 for documentation failures under Ordinance No. 827, costing those operators revenue during the suspension period regardless of whether the underlying gap was material. The B2B recognition regime creates an equivalent documentation dependency, but one that falls on the operator's entire supply chain simultaneously.

For an operator running a tier-one PAM, discovering that supplier is unrecognised is not a procurement decision; it is a platform migration. In a market where operator licences require continuous technical certification, initiating a core infrastructure change simultaneously with managing regulatory scrutiny is a risk most compliance directors will not accept. The operator who waits to discover their PAM is unrecognised is choosing between a platform migration under compliance pressure and an undeclared breach of operator licence conditions, neither of which has a good outcome. The prudent response is to audit the current supplier stack now, map which relationships sit in the infrastructure layer versus the service layer, and ask each supplier a specific question. The commercially useful question is not whether a recognition application is in progress, as suppliers will confirm this whether it is true or not. The question is: what is your Brazilian legal entity name and registration number? A supplier who cannot answer that question has not begun the process that recognition requires.

The compliance cost of the existing technical certification framework was already measurable: Playtech cited its effect on January 2025 volumes in their March 2025 earnings call. The new Ordinance adds a second compliance gate to the same supply chain. The operators who felt the first one are now managing the second.

Operators also face an unaddressed liability question. The draft is silent on the legal status of contracts signed during the transitional period with suppliers who are subsequently denied recognition. Whether those contracts are void, voidable, or enforceable, and whether the operator has a damages claim against a supplier who represented compliance readiness and failed to obtain recognition, is not addressed. Operators with current or pending supplier contracts should seek specific legal advice on this before the final Ordinance text is issued.

The AML dimension adds another layer. SPA/MF No. 1,143 requires operators to risk-classify their suppliers as part of their AML obligations. A change in a supplier's recognition status , whether through lapse, cancellation, or denial, is almost certain to trigger a mandatory reclassification event. In practice, reclassification requires the operator to reopen the supplier's due diligence file, conduct a fresh risk assessment, and document the outcome before the commercial relationship can continue on an unqualified basis, a process that typically takes weeks and cannot be automated away. Operators with automated AML systems need to build recognition status as a live data input. It is not currently standard in most compliance architectures, and the oversight is not academic: a supplier whose recognition lapses mid-contract without triggering the operator's AML system has created a gap that sits directly in the regulator's line of sight.

The Payments Dimension

Brazil's 2026 B2B compliance calendar has two concurrent deadlines running against the same service layer, and the interaction between them has not been publicly addressed.

The Central Bank separately accelerated the authorisation deadline for small payment institutions and fintechs from December 2029 to May 2026, explicitly targeting pool accounts used to mask illicit betting flows. Payment institutions and fintechs serving licensed Brazilian operators are already running a Central Bank authorisation process. KYC and player identification services are simultaneously in scope under the SPA's draft B2B Ordinance. A KYC provider serving multiple licensed operators in 2026 faces a structural ambiguity: the SPA requires it to obtain supplier recognition under the B2B framework, while the Central Bank may require its operator customers to switch to authorised payment institutions handling KYC in-house. Whether these two frameworks create conflicting obligations for the same service layer has not been addressed in any publicly available guidance. Until it is, KYC providers should assume both apply and plan accordingly.

The practical question for payments executives is architectural: does your service sit within the SPA's five categories, within the Central Bank's authorisation regime, or both? Payment infrastructure providing identity verification, geolocation, or risk classification is in scope under the draft Ordinance regardless of whether the payment institution serving the same operator is subject to Central Bank authorisation requirements. These are not the same obligation, they are not administered by the same regulator, and satisfying one does not satisfy the other. The highest-risk configuration is instant payment rail integration combined with KYC or geolocation services : that architecture is almost certainly in scope under both frameworks simultaneously. A KYC provider that has not received written confirmation from its Brazilian law firm that its specific service configuration sits outside Central Bank authorisation scope is carrying an unquantified regulatory liability alongside its SPA recognition application, and those two processes have different regulators, different timelines, and no coordination mechanism between them.

The Certification Body Question Is Still Unresolved

The draft proposes changes to existing regulations on certifying entities, the bodies through which technical qualification is assessed. Brazil currently has six SPA-recognised certification entities. Certification bottlenecks contributed to licensing delays throughout 2025 and were identified in the SPA's April 2025 regulatory agenda as requiring resolution, with a review scheduled for Q2 2026.

The technical benchmark that will govern assessment is clearer. The SPA's framework relies on GLI's Gaming Security Framework (GLI-GSF), and GLI released Module 3 in October 2025 specifically addressing "Vendor Controls" — the module directly applicable to B2B suppliers. GLI-GSF Module 3 requires vendors to demonstrate, among other controls, a documented third-party audit programme covering information security, defined incident response timelines with mandatory notification to client operators within 72 hours of a confirmed breach, and access control segregation between client environments. These are not conceptual requirements — they require documented evidence, audit trails, and operational procedures that most suppliers in this market have not built to a regulatory submission standard. The full GLI-GSF-3 standard is available without charge. Suppliers who have not read it are not in a position to estimate their recognition readiness.

Whether recognition applications will route through the existing six certified entities, a different assessment pathway, or the SPA's own technical review is not resolved in publicly available materials. The Art. 27(8) priority provision — processing priority for direct applications over transitional-period applications — means queue position carries commercial value, particularly in the betting systems category where the window opens immediately. A supplier in that category who files a direct recognition application early is not just meeting a deadline: they are reducing their queue position in a processing system whose capacity is unproven at this volume.

First-Mover Recognition as a Commercial Asset

Recognition is not just a compliance milestone. For betting systems and platform suppliers, it is a short-term commercial advantage with a closing window.

A recognised betting systems or platform supplier in a category where applications are limited or delayed has temporary leverage over operators who need compliant infrastructure but cannot switch to an unrecognised provider. The infrastructure layer, betting systems and platforms, carries the highest switching cost and opens the earliest recognition window. A supplier that obtains recognition before the transitional period closes has a window in which operators have limited compliant alternatives. Suppliers who understand this will price accordingly. The practical constraint is that exercising this leverage requires the commercial relationship to survive the negotiation , since operators with any alternative, however imperfect, will choose it over a supplier who uses regulatory status as a blunt pricing mechanism. The leverage is real; so is the ceiling on how hard it can be pushed.

For operators, the dynamic runs in the opposite direction. The fewer recognised betting system suppliers available at market opening, the less negotiating leverage operators carry on pricing and contract terms. Operators with current infrastructure relationships should treat recognition status as a procurement risk variable now, before the transitional window closes and the alternatives narrow.

The Commercial Stakes and a Commercial Opportunity

Brazil generated BRL17.4 billion in licensed GGR in the first six months of regulated operation across 78 operators and 182 authorised brands. The five categories in scope cover most of the relationships that generate B2B revenue in a licensed betting market. Suppliers currently operating without a recognition process underway are not merely non-compliant ; once the transitional period ends, they are contractually ineligible.

There is also a commercial opportunity that the compliance framing of this framework tends to obscure. Suppliers contracted with Brazilian operators before this framework existed did not price recognition compliance into their original commercial arrangements. The recognition regime creates a legitimate basis for renegotiating those terms. The conversation to have with Brazilian operator customers now is specific: recognition compliance adds a postdated cost (€80,000-plus in legal and incorporation fees alone before any staffing or operational overhead) to a relationship that was priced before this framework existed. A supplier who opens that discussion before the transitional deadline has negotiating room on pricing, contract duration, and exclusivity that closes once the operator is under compliance pressure to replace them. Compliance costs, covering entity incorporation, legal fees, SPA submission preparation and ongoing reporting obligations, are real, quantifiable, and postdate the original contract. Recognition also creates a dependency that runs in the operator's direction: a supplier holding recognised status that an operator depends on has leverage the unrecognised supplier beside them does not. That leverage has a price, and now is the time to establish what it is.

Regulatory Reference Table

The following ordinances collectively constitute the legal architecture within which the new B2B supplier recognition framework sits.

What Suppliers Should Do: In Order of Urgency

• Begin Brazilian entity incorporation immediately. Do not wait for the final Ordinance text. Entity incorporation in Brazil takes 6–12 weeks minimum depending on corporate structure. The formal recognition deadline is unknown; the practical incorporation lead time is not. A supplier without an existing Brazilian entity that waits for March 23 to begin this process has already lost that runway.

  
  

• Determine whether you are in scope at the service level, not the company level. A supplier providing both data services and platform technology is in scope twice, with different timeline obligations for each. Aggregators are explicitly named. Suppliers who white-label components built by third parties need to establish where regulatory responsibility sits in that chain.

  
  

• If you are a PAM provider, map your sub-licensing exposure. The draft is silent on how recognition obligations flow through multi-tier supply chains. A PAM sub-licensing a third-party betting engine or game aggregator may be carrying recognition obligations on behalf of components it does not own. This needs legal assessment before the consultation closes, not after the final text is published.

  
  

• Read the Declaration of Integrity (Annex II) before assuming you qualify ; if you are PE-backed, assess your sponsor's portfolio history, not just your own. The five-year lookback covers criminal convictions, insolvency, public procurement disqualifications, and any licensing sanction, suspension, or revocation in any jurisdiction within the past five years. The obligation extends to "any controlling entity" , which in practice means a private equity-backed supplier must assess whether its PE sponsor's previous investments include a sanctioned or suspended operator anywhere in the world within that window. A portfolio company with a clean regulatory record whose sponsor had a prior investment in a sanctioned operator may carry a disclosure obligation the company itself has no direct knowledge of. Undisclosed incidents discovered by the SPA through its own investigations are grounds for denial under Art. 15 and potential criminal liability under the Declaration of Responsibility.

  
  

• If you have existing Brazilian operator contracts, use recognition costs as a basis for renegotiation now. Compliance costs, covering incorporation, legal fees, SPA submission and ongoing reporting, postdate your original contract. They are quantifiable and legitimately passed through. Suppliers who raise this before the transitional deadline forces the conversation are in a stronger position than those who raise it under pressure. Recognition also creates infrastructure dependency that runs in the operator's direction. That dependency has a price. Establish it before the transitional period closes and the operator's alternatives narrow.

  
  

• Assess your mutual recognition position before deciding whether to engage the consultation. A supplier with MGA recognition and GLI certification has two options before March 23: file a submission arguing for regulatory reliance, or begin full incorporation on the assumption none will be granted. The cost differential between those two paths runs to €80,000-plus in legal fees. That decision requires a position by March 23. The SPA may decline to adopt regulatory reliance regardless of what submissions argue . Plan for both outcomes simultaneously.

  
  

• Audit your existing B2B contracts against Art. 5(VI) before applying. The 48-hour notification obligation may conflict with confidentiality provisions in your current operator agreements. Compliance teams need a defined escalation policy and a legal assessment of whether existing contract templates require amendment before recognition is granted. This obligation does not pause during any integration period.

  
  

• If you are a KYC or payment-adjacent supplier, map your exposure against both frameworks. The Central Bank's May 2026 authorisation deadline and the SPA's supplier recognition regime are separate obligations administered by different regulators. Satisfying one does not satisfy the other. Establish which applies to your architecture before the consultation closes. The highest-risk configuration is instant payment rail integration combined with KYC or geolocation services : that architecture is almost certainly in scope under both frameworks simultaneously.

  
  

• Call your licensed operator customers before they call you. Operators will audit their supplier stack as the transitional period approaches. Suppliers without a filed application are procurement-vulnerable, particularly in the infrastructure layer where switching costs make replacement a platform migration rather than a procurement decision. The supplier who surfaces recognition status proactively controls the conversation. The one who doesn't gets replaced at contract renewal.

  
  

The final Ordinance text will answer three questions this draft leaves open: how long the transitional window runs, whether mutual recognition is adopted, and what assessment pathway supplier recognition applications will follow. The answers to those three questions will determine whether the framework described here represents a manageable compliance cost or a structural barrier to the Brazilian market for suppliers outside the largest tier. Based on the SPA's execution track record and the absence of any force majeure, mutual recognition, or inter-regulator coordination mechanism in the current draft, smaller suppliers should plan for the barrier scenario, not the manageable one. Gaming Eminence will publish analysis of each as soon as the final text is available.

The primary source for this piece is the SPA's public consultation on the draft Ordinance, available at Brasil Participativo. The consultation closes March 23, 2026. Gaming Eminence will publish a follow-up analysis when the final Ordinance text is issued.

Evidence attribution: SPA Normative Ordinance No. 817, April 15, 2025 (regulatory agenda); SPA public consultation draft Ordinance, February 4, 2026, via Brasil Participativo (B2B recognition framework); FAS Advogados client alert, February 5, 2026; Mattos Filho legal analysis, February 4, 2026 (incorporation requirement, transitional period, approval process); SPA H1 2025 market report, August 2025 (GGR, operator data, enforcement statistics); Brazilian Central Bank ruling, September 2025, via news reports (fintech/payment institution authorisation deadline, May 2026); Playtech plc 2024 Earnings Call, March 27, 2025 (— KYC rejection rates, Brazil); GLI press release, October 8, 2025 (GLI-GSF Module 3, Vendor Controls); GLI-GSF-3 full standard, free PDF; DATA.BET press release, October 16, 2025 (— GLI-33 certification, Brazil); Playgon Games MD&A, May 2024 ( — GLI-19 certification, live dealer); Draft Ordinance Articles 5, 6, 16, 17, 18, 19, 21, 26, 27, 28, 29, Annex II and Annex V (SPA public consultation, February 2026).