Compliance

Compliance-by-design: why loot box regulation is starting to look like an MGA audit

Compliance-by-design

PEGI — the age-rating body used across more than 35 European countries — rolled out the biggest change to its classification framework in over a decade. Starting in June 2026, any game with paid random items gets a minimum PEGI 16 rating, regardless of its content otherwise. It’s not a gambling law. It’s an age-rating body quietly admitting that loot boxes need to be treated as a distinct risk category — which is one more data point in a pattern that’s been building for years: regulators haven’t agreed that loot boxes are gambling, but they increasingly want the same kind of proof a gambling regulator would demand.

That’s the actual story here, and it’s worth being precise about it rather than overstating it. Loot boxes are not legally classified as gambling in the UK, most of the EU, or under US federal law, as of this writing. But “not legally gambling” and “not regulated” have stopped being the same thing — and the infrastructure needed to satisfy the second is converging, fast, on something that already exists in iGaming: an auditable, reproducible record of exactly how chance-based outcomes are generated and disclosed.

TL;DR

  • The legal status is genuinely fragmented: Belgium bans paid loot boxes outright. The UK and most of the EU don’t classify them as gambling. The US has no federal law at all — just FTC consumer-protection enforcement and a closely watched state lawsuit.
  • The pressure is real even without a gambling classification. The EU’s Digital Services Act already restricts practices that drive “excessive or compulsive spending” by minors, independent of any future gambling law. PEGI’s new rules just landed. The EU’s Digital Fairness Act is expected to propose binding rules later this year.
  • The crux test everywhere is “money or money’s worth.” Items that can be cashed out on a secondary market blow up the usual exemption — which is exactly the legal theory behind New York’s attorney general suing Valve over Counter-Strike 2 skins.
  • The practical answer looks like an RNG audit, not a legal opinion. Drop-rate logging, deterministic replay, and age-gating records — the same evidence an MGA or UKGC auditor expects from a casino game — are becoming the default expectation for loot boxes too, classification debate aside.
$15B+
estimated annual loot box revenue
PEGI 16
new minimum rating floor, from June 2026
Q4 2026
EU Digital Fairness Act proposal expected

This article summarizes the regulatory landscape as we understand it in June 2026. It is not legal advice — the law here is moving quickly and varies by jurisdiction and product mechanic, so any compliance decision should be checked against current counsel for the specific markets you operate in.

The patchwork, as of June 2026

The UK still does not treat loot boxes as gambling. The Gambling Act 2005 requires a prize to be “money or money’s worth,” and the UK Gambling Commission’s long-standing position is that in-game items don’t meet that bar because the publisher itself doesn’t let you cash them out. The government reaffirmed this position again in January 2026, while noting it is “keeping possible future legislative options under review” — language it has now used for several years running. In its place, the industry runs a self-regulatory code (UKIE’s principles, published in 2023) covering disclosure and age-gating, with the government able to step in if that proves insufficient.

The EU has no single law treating loot boxes as gambling either — gambling regulation stays with individual member states, which is why approaches differ so sharply across the bloc. Belgium banned paid loot boxes outright back in 2018, treating them as illegal gambling under its existing framework, and that ban remains in force. The Netherlands took a different and more complicated path: its gambling authority initially fined EA roughly €10 million over FIFA Ultimate Team packs, but that fine was later overturned after a court found the mechanic, integrated as it was into normal gameplay, didn’t constitute a standalone gambling product — a reversal worth knowing about, since the original fine is still the version of this story most commonly repeated. Poland has drafted amendments that would require a gambling licence for chance-based purchase mechanics, and the European Parliament’s internal market committee voted in October 2025 to push for the EU’s incoming Digital Fairness Act to ban loot-box-style mechanics in games accessible to minors — a proposal the European Commission is expected to table later in 2026, not a law that exists yet.

Separately — and already in force, independent of any gambling classification — the EU’s Digital Services Act restricts platforms accessible to minors from using practices that can drive excessive or compulsive spending, and the European Parliament has explicitly read that obligation as covering paid loot boxes with randomized content. This matters because it means EU compliance pressure on monetization design didn’t wait for a gambling law; it’s already live through a different legal door.

The United States has no federal loot box law of any kind. Enforcement instead comes through the FTC, using ordinary consumer-protection and children’s-privacy law (COPPA) rather than gambling statutes — a settled case already established that platforms must block under-16 purchases without verified parental consent. State bills in New York, Hawaii, Washington, and Indiana have proposed loot-box-specific rules; none has passed as of this writing. The case to actually watch is New York’s attorney general suing Valve, arguing that Counter-Strike 2’s loot boxes constitute illegal gambling under state law — grounded directly in the fact that CS2 skins have a real, liquid secondary market, which is the exact crack in the “no cash value” argument that every other jurisdiction’s exemption also depends on.

The test that keeps breaking: “money or money’s worth”

Almost every jurisdiction’s gambling exemption for loot boxes rests on the same idea: it’s only gambling if the prize has real monetary value, and a publisher who doesn’t let you cash out hasn’t given you that. It’s a clean legal test, until a secondary market exists where players trade those items for real money anyway — at which point the “the publisher doesn’t cash you out” defense stops mattering, because someone else effectively does.

This is precisely the architecture decision sitting at the center of the Valve lawsuit, and it’s worth treating as exactly that — an architecture decision, not just a legal one. Whether a game’s items are tradeable, how easily they convert to cash through third-party markets, and how directly the publisher facilitates or merely tolerates that trade are product and infrastructure choices made well before any court gets involved. A studio that enables frictionless secondary trading of randomized-drop items is choosing to operate closer to the line that separates “not gambling” from “functionally gambling” in multiple jurisdictions at once.

⚖️
Whether to support a secondary market for randomized items is a decision with real regulatory exposure attached — and it’s worth mapping before it’s built, not after a regulator asks about it. Gart Solutions’ compliance audit service covers exactly this kind of architecture-level risk review.

What “compliance-by-design” actually means here

iGaming operators already live with this problem solved, because they had no choice — a real-money casino game without a defensible audit trail simply doesn’t get licensed. Our <a href=”https://gartsolutions.com/industries/igaming/”>iGaming practice</a> is built around exactly this: deterministic replay so any past outcome can be reconstructed from stored seed and state, version-locked deployment so a tested build is provably the one that shipped, and continuous logging that can answer a regulator’s question about drop rates or RTP without a scramble.

Game studios shipping loot boxes have rarely had to build any of that, because until recently nobody outside the studio was asking. That’s changing on three fronts at once: PEGI’s new rating floor makes the mechanic itself a labeled risk category rather than an invisible design choice; the EU’s DSA already creates spending-pattern obligations independent of gambling law; and the Valve case shows a state attorney general willing to use existing gambling statutes against a mechanic that was never designed with that scrutiny in mind. None of these require a new “loot boxes are gambling” law to bite — they bite under the laws and rating systems that already exist.

The practical response looks less like a legal memo and more like an infrastructure project: a verifiable, append-only log of what a given pull’s odds actually were and what it produced, age-verification records that hold up under a regulator’s request rather than just a checkbox, and a documented decision — made deliberately, not by default — about whether and how items can move into a secondary market. That’s the same category of evidence an MGA or UKGC audit already expects. The studios that build it before they’re asked won’t be rebuilding their monetization stack under a deadline; the ones that don’t are betting on the current patchwork staying exactly as fragmented as it is today.

🔍
An RNG and drop-rate audit trail built for an iGaming regulator transfers almost directly to a loot-box compliance request. Gart Solutions’ IT audit services cover the same deterministic-replay and logging architecture across both.

The takeaway for both industries

The honest summary is that nobody — not Brussels, not London, not Washington — has settled this question, and anyone telling you with confidence exactly what the rules will say in twelve months is guessing. What is settled is the direction: more disclosure, more age-gating, and more scrutiny of secondary markets, arriving through age-rating bodies, consumer-protection law, and state attorneys general even where a gambling classification never lands. Building the audit infrastructure now isn’t a bet on any one outcome — it’s the same infrastructure either way.

Could your monetization stack answer a regulator’s question today?

Gart Solutions helps both iGaming operators and game studios build the audit trails, drop-rate logging, and compliance architecture that hold up under real scrutiny — before a regulator or a lawsuit asks first.

Talk to our architects →

FAQ

Are loot boxes legally classified as gambling anywhere in 2026?

Yes, in some places — Belgium has banned paid loot boxes outright since 2018, treating them as illegal gambling under its existing law. The UK, most of the EU, and US federal law do not classify them as gambling, though several jurisdictions are actively reviewing that position, and New York's attorney general is currently arguing in court that specific mechanics in Counter-Strike 2 do qualify under state law.

What is PEGI's new rule and when does it take effect?

Starting June 2026, PEGI — the age-rating system used across more than 35 European countries — applies a minimum PEGI 16 rating to any game containing paid random items, regardless of the game's other content. It's part of a broader overhaul adding "interactive risk categories" that also cover communication features and engagement-driving design patterns.

Does the EU's Digital Services Act already cover loot boxes?

The European Parliament has interpreted the DSA's restriction on practices that drive excessive or compulsive spending by minors as covering paid loot boxes with randomized content, even though the DSA isn't a gambling law and doesn't classify loot boxes as such. This means compliance pressure already exists in the EU independent of whatever the proposed Digital Fairness Act eventually contains.

What happened with the Netherlands and EA's FIFA Ultimate Team case?

The Dutch gambling authority initially fined EA roughly €10 million, ruling that FIFA Ultimate Team packs constituted illegal gambling. That fine was later overturned on appeal after a court found the mechanic, as integrated into normal gameplay, did not amount to a standalone gambling product. The original fine is still widely cited as if it were the final outcome, which it isn't.

Why does a secondary market for in-game items matter so much legally?

Most jurisdictions exempt loot boxes from gambling law on the basis that the prizes have no real monetary value, since the publisher won't cash them out. A liquid secondary market where players trade those items for real money undermines that argument regardless of what the publisher itself does, which is the core legal theory behind New York's lawsuit against Valve over Counter-Strike 2 skins.

What should a game studio actually build to get ahead of this?

At minimum: a verifiable log of the actual odds behind any given randomized outcome, age-verification records that would satisfy a real audit rather than a self-certified checkbox, and a deliberate, documented policy on whether and how items can be traded externally. This is structurally similar to what Gart Solutions builds for iGaming RNG certification readiness — deterministic replay and continuous audit logging, just applied to a mechanic that hasn't historically required it.
arrow arrow

Thank you
for contacting us!

Please, check your email

arrow arrow

Thank you

You've been subscribed

We use cookies to enhance your browsing experience. By clicking "Accept," you consent to the use of cookies. To learn more, read our Privacy Policy