The Netherlands opened its regulated online gaming market in October 2021 under the Remote Gambling Act (Wet Kansspelen op Afstand). The Kansspelautoriteit — the KSA — regulates the market with a philosophy that is distinct from most other jurisdictions: it does not license technology suppliers. Instead, it holds licensed operators fully and directly accountable for the compliance of every technology they deploy, including geolocation.
This approach places a heavier burden on operators than they might expect. Choosing a geolocation vendor is not simply a commercial decision — it is a compliance decision for which the operator carries the regulatory risk. If your geolocation system fails to detect a player outside the Netherlands, or fails to identify a VPN in use, that is your problem with the KSA, not your vendor's.
Understanding what the KSA actually requires technically — and what "full accountability" means in practice — is essential for any operator entering or operating in the Dutch market.
The Dutch Market: Regulated but Still Maturing
The Netherlands has a population of approximately 18 million and a well-established gambling culture. Prior to the 2021 Remote Gambling Act, Dutch players accessed online gaming primarily through unlicensed offshore operators — a market the KSA estimated was worth over €1 billion annually. The regulated market was designed to channel that activity through licensed, compliant operators.
The KSA has been notably aggressive in enforcement since launch. It has issued substantial fines against both unlicensed operators continuing to serve Dutch players and licensed operators who failed to meet compliance requirements. The regulator has made clear that holding a license is not a shield against enforcement — it is an ongoing obligation.
The KSA's Operator Accountability Model
Unlike the UKGC, which licenses gambling software vendors directly, or the AGCO in Ontario, which maintains specific technical standards for geolocation, the KSA does not issue licenses to technology suppliers. There is no approved vendor list, no separate B2B registration process, and no KSA certification for geolocation software.
What the KSA does instead is hold operators accountable for everything their platform does. If you are a licensed Dutch operator and your geolocation system passes a player who is physically located in Germany, the KSA's enforcement action will be directed at you — regardless of which vendor provided the system or what guarantees they made contractually.
What This Means for Vendor Selection
Because the operator bears full regulatory risk, vendor selection in the Netherlands is a due diligence exercise, not just a procurement one. Operators should require third-party testing certifications from any geolocation vendor they use — independently verified evidence that the system works as claimed. An EU-accredited auditor's report covering accuracy, circumvention detection, and monitoring continuity is the standard operators need to hold their vendors to.
What the KSA Requires Technically
The KSA's technical requirements for geolocation and player verification flow from the Remote Gambling Act and the associated implementing regulations. They cover several distinct areas:
Player Location Verification
Operators must verify that players are physically located within the Netherlands when accessing online gaming. This is not a one-time registration check — location must be verifiable at the time of each gaming session. Players accessing from outside the Netherlands must be blocked. The KSA's position is that IP-based location checks alone are insufficient given the ease with which they can be circumvented.
Circumvention Tool Detection
Operators are required to detect and block players using VPNs, proxy servers, and other tools designed to mask or falsify their true location. This requirement exists because the KSA recognizes that IP geolocation is trivially bypassed — a player in Germany using a Dutch VPN exit node would pass an IP-only check. Effective circumvention detection requires OS-level signals that browsers cannot access.
Age and Identity Verification
The KSA requires rigorous age verification (minimum 18, with proposals to raise to 21 for high-risk games). Identity verification must be watertight and verifiable to the regulator at any time. A geolocation system that accurately places a player in Amsterdam does not satisfy the KSA if the operator cannot also verify that player is who they claim to be.
Control Database in the Netherlands
A distinctive KSA requirement: licensed operators must maintain a control database physically located in the Netherlands. This database must contain the records the KSA needs to audit operator compliance, including verification logs. This has direct implications for how geolocation data is stored and retained — cloud-only solutions with no Dutch data residency may not satisfy this requirement.
Third-Party Testing and Documentation
All gaming systems — including geolocation components — must be independently tested and certified by an auditor accredited by at least two EU member states. Operators must maintain inspection and testing certifications, control database reports, and information security reports. These are not one-time requirements — they must be kept current and available to the KSA on request.
Why IP-Only Geolocation Fails the KSA Standard
The KSA's circumvention detection requirement is explicit about VPNs and proxies — and IP-based geolocation cannot detect either. A player in Belgium using a commercial VPN with a Dutch exit node will appear to be in Amsterdam to any system that relies solely on IP address analysis. The same is true for residential proxy services, which route traffic through genuine Dutch home connections.
- Commercial VPNs: Hundreds of VPN services offer Dutch exit nodes. A player outside the Netherlands can obtain a Dutch IP address in minutes. IP-only systems cannot distinguish this from a genuine Dutch player.
- Residential proxies: Route traffic through genuine residential connections, making the player appear as a regular Dutch home user. Standard IP reputation databases do not flag these addresses.
- Virtual machines: A player can run a virtual machine configured to appear located in the Netherlands at the OS level, defeating browser-based location APIs entirely. Only a native agent with hardware access can detect this reliably.
- CGNAT and shared addresses: Many Dutch ISPs use carrier-grade NAT, meaning multiple households share a single IP address. IP geolocation accuracy degrades significantly in these environments, creating false positives that block legitimate Dutch players.
The Enforcement Reality
The KSA has demonstrated willingness to impose significant fines for compliance failures. An operator whose geolocation system is found to have allowed out-of-jurisdiction play — even through a vendor's failure — faces regulatory action. The operator accountability model means there is no deflecting responsibility to a third-party supplier in a KSA enforcement proceeding.
What a KSA-Compliant Geolocation Stack Looks Like
Meeting KSA requirements requires a multi-signal approach that combines hardware-level location data with OS-level integrity checks and structured audit logging. The key principle is that no single signal is sufficient — and the system must be independently validated.
Hardware-Backed Location Signals
On mobile, GPS combined with WiFi BSSID triangulation and cell tower data produces location verification that cannot be spoofed by a VPN. The player's physical proximity to Dutch cell towers and WiFi access points is a hardware reality — no network-level tool can change it. On desktop, WiFi BSSID scanning via a native agent provides comparable accuracy, placing the device relative to real access points in its physical environment.
OS-Level VPN and Proxy Detection
VPN tunnels are visible at the operating system level as named network interfaces — tun0, wg0, WireGuard adapters on Windows, utun on macOS. A native desktop agent can enumerate these interfaces regardless of whether the VPN is active or what IP address it presents. On mobile, platform VPN APIs expose tunnel state directly. No browser-based solution can access this information.
Virtual Machine and Emulator Detection
Virtual machines are detectable through a combination of DMI hardware identifiers, CPU hypervisor flags, MAC address OUI prefixes reserved by VM vendors, and system-level detection tools. A player running VirtualBox or VMware with a faked location can be identified with high confidence through multiple independent signals — each of which would need to be independently spoofed to evade detection.
Structured Audit Logs with Data Residency
Every verification event must be logged with a full record of the signals used, the risk score produced, and the action taken. Given the KSA's control database residency requirement, operators should verify that their verification logs can be stored in or made available from Netherlands-based infrastructure. The logs must be queryable and exportable for regulator review.
Independent Testing Certification
The KSA requires that gaming systems be certified by an auditor accredited in at least two EU member states. Operators should obtain and maintain current certifications from their geolocation vendor covering accuracy, circumvention detection methodology, and monitoring continuity. These certifications are the operator's primary evidence of due diligence in vendor selection.
How Peabody Addresses KSA Requirements
Peabody's compliance stack delivers the multi-signal verification the KSA's operator accountability model demands. Because the operator bears full regulatory risk, the quality and verifiability of the underlying technology is what matters — not a vendor's regulatory status.
WiFi BSSID Geolocation
Native agents on Windows, Mac, and Linux scan surrounding access points and submit BSSIDs for hardware-backed location verification independent of IP address. A VPN cannot move the device's physical relationship to Dutch WiFi infrastructure.
OS-Level VPN Detection
Active VPN interfaces are detected at the OS level across Windows, Mac, Linux, iOS, and Android — including WireGuard, OpenVPN, IPSec, and commercial VPN clients. Detection is independent of the VPN's IP presentation.
Multi-Signal VM Detection
Virtual machine detection via DMI strings, CPU hypervisor flags, MAC OUI prefixes, and system calls covers VirtualBox, VMware, KVM, Hyper-V, and Xen across x86-64 and ARM64 architectures. Wine compatibility layer detection included.
Structured Audit Logging
Every verification event produces a structured log record with signal breakdown, risk score, and outcome — exportable on demand for KSA audit purposes. Operators retain full control over log storage and data residency.
Ready for the Dutch Market
Peabody supports Dutch iGaming operators with hardware-backed verification across all major platforms. If you are entering or operating in the Netherlands and need to satisfy KSA compliance requirements, we are ready to talk.