Building an online casino in 2026 is no longer a matter of buying a turnkey platform and switching it on. The licensing landscape has tightened, payment rails are stricter about iGaming MCCs, and player acquisition costs in regulated markets routinely exceed two hundred dollars per first-time depositor. The teams that ship successful casinos treat the project as a regulated fintech build with a games layer on top, not as a games project with compliance bolted on. This guide walks through every decision an operator or studio has to make, in the order it actually has to be made, with directional budget figures at the end.
The target reader is a founder, head of product, or technology lead at a B2C operator, an aspiring B2B platform provider, or an existing brand expanding into a new jurisdiction. Nothing here is sales material. Where Sudonex builds the relevant component, the link is inline so you can read the technical scope and price it against alternatives.
Step 1: Decide Your Business Model
Before anything else, pick which kind of company you are building. The four common shapes are B2C operator, B2B platform, white-label licensee, and full custom build. They differ on regulation, capital requirements, time to market, and margin profile.
A B2C operator runs the brand, holds the licence, owns the player wallet, and takes the gross gaming revenue. This is the highest-margin path and the highest-risk path. You are responsible for KYC, AML monitoring, responsible gaming, payment fraud, marketing, and game library curation. Time to first deposit in a Tier-1 jurisdiction is typically twelve to eighteen months from kickoff.
A B2B platform sells the casino engine, wallet, CMS, bonus engine, and reporting to other operators. You hold a software supplier licence rather than a gaming licence. Margins are lower per dollar of GGR, but you have many operators on one stack and your regulatory surface is narrower. Time to first paying client is six to nine months for a focused MVP.
A white-label licensee uses a partner who already holds the licence, and you brand the front end. You move fast, often live in eight to twelve weeks, but you give up roughly thirty to forty percent of net gaming revenue and have limited control over game mix, payment providers, and player data. Most successful operators outgrow white-label within two years.
A full custom build is what large brands and ambitious studios do when they want to own every layer. It is the longest path and the most expensive, but it is the only path that produces an asset with real enterprise value at exit. If the long-term plan is acquisition or IPO, build custom. If the goal is to test a market in one jurisdiction, white-label or buy a turnkey first.
The rest of this guide assumes you are building a B2C operator with custom or semi-custom technology. Adjust scope where your model differs.
Step 2: Pick Your Jurisdiction and Licensing Path
The licence you hold dictates which markets you can address, which payment providers will work with you, which games you can offer, and how much capital you need to lock up. The four jurisdictions that cover most of the legitimate market are the United Kingdom (UKGC), Malta (MGA), Curaçao, and Kahnawake. Each has a clear pros-and-cons profile.
UKGC is the strictest and the most respected. Application takes nine to sixteen months. You need demonstrable compliance experience on the leadership team, a UK-resident money laundering reporting officer, full GamStop integration, ongoing affordability checks, and Section 75 advertising compliance. Annual fees scale with GGR and start in the low five figures. The trade is access to one of the most liquid regulated markets in the world.
MGA (Malta) is the European workhorse. Application is six to nine months. You need a Maltese company, key function holders resident in or accessible to Malta, an audited technical setup, and segregated player funds. MGA gives you a strong reputational signal and allows operation into many EU markets where local rules permit, though several large EU states (Germany, Netherlands, Spain, Italy, France) now require local licences on top.
Curaçao reformed in 2024 under the LOK framework. The new regime is materially stricter than the old master-licence model: each operator now needs its own B2C licence, with proper UBO disclosure, AML programmes, and technical audits. Time to licence is three to six months, costs are mid five figures per year, and the licence is accepted by most non-restricted markets but not by Tier-1 European regulators. Curaçao is the practical choice for emerging-market operators and crypto-first brands.
Kahnawake is the longest-running online gaming jurisdiction in North America. It is well respected, costs are moderate, and the application takes around four months. It is a fit for operators targeting Canadian provinces (outside Ontario, which has its own iGO regime), Latin America, and other emerging markets. It does not give you access to the EU.
Most serious builds end up holding two or three licences in sequence: Curaçao or Kahnawake to launch and prove the product, then MGA for the European footprint, then UKGC if the UK is in scope. Plan the sequence at the start because every licence requires architectural choices (data residency, segregation, reporting feeds) that are painful to retrofit. Detailed scope is on the casino licensing compliance page.
Step 3: Architecture Decisions
The back end has to do four things at once: hold money safely, execute game rounds with single-digit-millisecond latency, satisfy regulator audit requirements, and survive marketing-driven traffic spikes that look nothing like normal load.
Monolith versus microservices is the first call. A modular monolith on a strong typed language (Go, Java, C#, Kotlin) is the right starting point for almost every new operator. It deploys faster, is easier to reason about under audit, and removes the distributed-systems failure modes that bite teams who chose microservices because the conference talks said to. Split out the wallet, the game session manager, and the bonus engine as separate services only when load or team size forces it.
Hosting has two viable shapes. AWS, GCP, or Azure in regions that match your licence's data residency rules is the default; UKGC and MGA both expect EU or UK residency for player data, and several jurisdictions require local hosting. Bare metal or hybrid is worth considering only for live dealer streaming, where colocation near studios reduces latency.
Latency budgets matter more than they used to. Slot spin round-trip should sit under one hundred and fifty milliseconds end to end on a desktop connection. Live dealer video should target under four hundred milliseconds glass-to-glass. Wallet debit and credit must complete inside fifty milliseconds at the ninety-ninth percentile, because a slow wallet under load is the single fastest way to break a player session and trigger a chargeback.
The RNG sits at the centre of the architecture. Use a CSPRNG (ChaCha20, AES-CTR-DRBG) seeded from a regulator-acceptable entropy source, with a documented reseed strategy, thread-safe consumption, and audit logging on every draw. The full scope of testing and certification is in RNG integration testing. Get this right at the start; reworking the RNG layer after launch means resubmitting every game.
For a deeper architecture walk-through, the casino app development page covers stack choices, mobile considerations, and reference topologies, and the casino MVP development page describes the minimum viable shape we ship in twelve weeks for new operators.
Step 4: Game Content Sourcing
There are two ways to fill the lobby: license content from aggregators, or build proprietary games. Most operators do both, in different proportions over time.
Aggregators (Pragmatic Play, Evolution, Relax Gaming, Yggdrasil, plus content hubs like SoftSwiss Game Aggregator and Slotegrator) give you instant access to one to ten thousand titles through a single integration. Revenue share is usually fifteen to twenty percent of GGR per game, sometimes higher for premium content. Integration is fast, certification is already done, and content updates happen without your engineering involvement. The downside is that every other operator in your market has the same lobby.
Proprietary games are how brands differentiate after the first year. Build two or three signature titles with distinctive math models, invest in art direction, and use them in marketing. Per-title cost runs from sixty thousand to two hundred and fifty thousand USD depending on art quality and feature complexity. The math model and certification process are non-trivial; budget twelve to sixteen weeks per title and plan certification with a recognised test house from day one.
Live dealer is its own decision. Stream-from-studio operators (Evolution, Pragmatic Live, Ezugi) handle the studios, dealers, cameras, and certification; you integrate over their API and pay revenue share. Standing up your own live studio is a multimillion-dollar capex and only makes sense above a certain GGR threshold and in jurisdictions where local studios are required.
Step 5: Payments and Compliance Stack
This is where most builds underestimate scope. The payment and compliance stack has more moving parts than the games themselves and is the layer regulators look at first.
Payments: you need at least three deposit methods per market (one card, one local bank rail, one e-wallet or APM) and a payout method that pays in under twenty-four hours for the priority tier of players. Card acquiring for iGaming MCCs (7995 in particular) is restricted; expect to work with a specialist acquirer (Worldpay, Praxis, Nuvei, Paysafe, EMerchantPay) and to post a meaningful rolling reserve. PCI DSS Level 1 applies if you store, process, or transmit card data; most operators stay at SAQ-A or SAQ-A-EP by tokenising at the acquirer. Crypto rails (BTC, ETH, USDT on Tron and Ethereum, USDC) are now mainstream for non-Tier-1 markets and require their own AML controls and travel-rule compliance. The integration scope is on the casino payment integration page.
KYC and AML: pick a vendor (Sumsub, Onfido, Jumio, Veriff) for identity verification and a separate or bundled provider for ongoing AML screening (PEP, sanctions, adverse media). Every regulated jurisdiction requires risk-based KYC at signup or before first withdrawal, ongoing transaction monitoring with documented rules, and SAR filing where applicable. Build the AML rule engine so compliance officers can change thresholds without redeploying.
Geo-IP and device intelligence: use a primary geolocation provider (MaxMind, GeoComply for US-grade) plus a fingerprint vendor (FingerprintJS, Iovation) to detect VPNs, multi-accounting, and bonus abuse. UKGC and several US states explicitly require geolocation accuracy that hobby-grade IP databases cannot deliver.
Responsible gaming tooling: deposit limits, loss limits, session limits, reality checks, self-exclusion, and self-exclusion register integration (GamStop in the UK, ROFUS in Denmark, OASIS in Germany). This is not optional and not ornamental; UKGC has fined operators in the eight figures for missing or unenforced limits. Build the controls as first-class features, not as flags hidden in account settings.
Security: regular penetration testing, a documented secure SDLC, segmented player data, and a clear incident response plan. The full scope is in security audit and penetration testing.
Step 6: Player Acquisition Channels
A functioning casino with no players is a failed business. Plan acquisition before launch, not after.
Paid: Google and Meta accept gambling ads only in licensed jurisdictions and only for advertisers who pass their certification. Costs are high (CPMs of fifty dollars and up in Tier-1 markets, CPAs of one hundred and fifty to four hundred dollars). Performance discipline matters more than creative volume; instrument LTV by cohort and channel from day one.
Affiliates: still the dominant channel for most casino brands. Programmes pay revenue share (twenty-five to fifty percent of net GGR), CPA (one hundred to four hundred USD per FTD), or hybrid. Pick an affiliate platform (Income Access, MyAffiliates, Affilka, Smartico) at launch; switching later is painful because affiliates own the tracking links.
Retention loops: a casino without retention is a leaky bucket. Build a bonus engine that supports deposit bonuses, free spins, cashback, tournaments, and missions, and instrument every player action so a CRM tool (Smartico, Optimove, Solitics) can trigger lifecycle messaging. Retention spend should grow from zero at launch to roughly thirty to forty percent of total marketing spend by year two.
Step 7: Launch Checklist
Before the first real-money deposit, walk this list end to end.
Licence issued and conditions met. RNG and games certified by an accredited test house. Penetration test passed within the last ninety days. PCI DSS attestation current. KYC and AML procedures documented and tested with synthetic cases. Responsible gaming controls live and tested. Self-exclusion register integration verified. Geolocation blocking in place for restricted territories. Terms and conditions and privacy policy reviewed by counsel in the licensing jurisdiction. Disaster recovery and business continuity plan tested. Player support staffed in the languages of the launch markets, with documented escalation for vulnerable-player and AML cases. Reporting feeds to the regulator (where required) tested with sample data. Marketing creative reviewed against the jurisdiction's advertising code. First-week monitoring runbook in place: who watches what dashboards at what hours.
Most operators that miss launch deadlines miss them on items eight through twelve, not on engineering.
Step 8: Total Budget by Tier
All figures are directional and assume new build, not turnkey. They include technology and licensing but exclude marketing, working capital, and reserve requirements set by your acquirer.
MVP tier, fifty thousand to one hundred and fifty thousand USD: white-label or heavily templated stack on a Curaçao or Kahnawake licence, aggregator-only content, two or three payment methods, basic KYC, basic responsible-gaming controls, single market. Time to launch six to twelve weeks. This is a market-test budget, not a long-term operator budget. The casino MVP development page has the full scope.
Mid-tier, three hundred thousand to five hundred thousand USD: semi-custom stack on Curaçao plus an MGA application in flight, aggregator content with two or three proprietary titles, four to six payment methods including crypto, full KYC and AML stack, complete responsible-gaming controls, affiliate programme, two to four markets. Time to launch four to seven months. This is the tier where most serious independent operators start.
Enterprise tier, seven hundred and fifty thousand USD and up: full custom platform, multi-jurisdiction licensing including UKGC or MGA, proprietary content studio, multiple acquirers, dedicated CRM and bonus engine, multi-region hosting, twenty-four seven NOC. Time to launch nine to eighteen months. This is the budget for brands that intend to be top-twenty in their markets within five years.
For a deeper cost breakdown by line item, see the casino software cost guide, and for a more detailed look at the development workstream, the casino app development guide. If white-label is on the table, the white-label casino software page covers the trade-offs in depth.
FAQ
Q: How long does it take to build an online casino?
A: Six to twelve weeks for a white-label launch in a Curaçao-equivalent jurisdiction, four to seven months for a semi-custom mid-tier build, and nine to eighteen months for a custom enterprise build with Tier-1 licensing. Most of the time is licensing and certification, not coding.
Q: Can I build an online casino without a licence?
A: Not legally in any market worth operating in. Unlicensed operation exposes founders to criminal liability in many jurisdictions, blocks you from mainstream payment rails, and makes acquisition or sale impossible. A Curaçao or Kahnawake licence is the cheapest legitimate starting point.
Q: What is the minimum realistic budget?
A: Around fifty thousand USD all-in if you go white-label on a permissive jurisdiction with aggregator content and minimal customisation. That figure assumes you already have working capital separate from the build budget; player payouts have to be funded out of the operating account, not the build budget.
Q: Should I build proprietary games or only license content?
A: Start with aggregator content. Add proprietary games in year two once you understand which math styles, themes, and features resonate with your retained players. Building proprietary games before you have player data is a common and expensive mistake.
Q: How important is mobile?
A: Mobile is now seventy to eighty-five percent of casino traffic in most regulated markets. Build mobile-first, design game lobbies for one-handed use, and test payment flows on real devices on slow networks. A desktop-only launch in 2026 is a non-starter.
Further reading and where to take this next
This guide is intentionally generic; every real build has constraints that change the answers. If you are sizing a project and want a structured second opinion on scope, licensing path, or architecture, the Sudonex team works through the same checklist on a discovery call. Start at contact and bring your target markets, expected first-year deposit volume, and any licensing decisions already made.