TMT 2026 Comparisons

As an EU member state, the Czech Republic’s digital economy framework is predominantly shaped by directly applicable EU legislation, including:

• the Digital Services Act;
• the Digital Markets Act;
• the Data Governance Act;
• the Data Act;
• the AI Act; and
• the GDPR.

National Framework

Draft Digital Economy Act

A draft Digital Economy Act is currently pending before the Chamber of Deputies. The draft act would:

• introduce a definition of “information society services”;
• establish national enforcement mechanisms for the Digital Services Act and Digital Markets Act;
• regulate certain aspects of commercial communications within online services; and
• replace the current Act on Certain Information Society Services (Act No. 480/2004 Coll.).

Act on Certain Information Society Services (Act No. 480/2004 Coll.)

Currently, digital service providers are regulated primarily under Act No. 480/2004 Coll., which:

• transposes the E-Commerce Directive;
• establishes information obligations for service providers;
• provides liability exemptions (mere conduit, caching, hosting); and
• regulates certain aspects of commercial communications (including unsolicited marketing).

Electronic Communications Act (Act No. 127/2005 Coll.)

The Electronic Communications Act regulates electronic communications services and implements key elements of the ePrivacy framework, including confidentiality of communications and rules relating to cookies and marketing communications.

Cybersecurity Act (Act No. 264/2025 Coll.), implementing the NIS2 Directive

Digital business models are further shaped by:

• the Civil Code (Act No. 89/2012 Coll.), including rules on digital content and digital services contracts; and
• the Consumer Protection Act (Act No. 634/1992 Coll.).

Industry Codes of Conduct

There is no mandatory cross-sector digital economy code of conduct. However, several self-regulatory initiatives exist, particularly in online advertising and marketing, as follows:

• SPIR (Association for Internet Development) – ethical standards for online advertising and content aggregation;
• RPR (Czech Advertising Council) – Code of Advertising applicable to commercial communications across digital platforms;
• AOV (Association of Online Publishers) – ethical standards for online journalism;
• APEK (E-commerce Association) – Code of Delivery Terminology standardising shipping terminology to ensure consumer protection in online retail;
• APMS (Mobile Network Operators) – standards for premium SMS and mobile payments; and
• ČAI (Czech AI Association) – AI Ethical Code promoting responsible AI use.

One of the current regulatory debates concerns the total restriction of social media access for minors. In February 2026, the Czech government announced that it is considering legislation that would restrict the use of social media platforms by children under the age of 15.

Another emerging issue concerns the regulation of professional influencers. Under the On-Demand Audiovisual Media Services Act (Act No. 132/2010 Coll.), certain influencers may qualify as providers of audiovisual media services on demand if they meet specific qualitative and quantitative criteria. In such cases, they must register with and are supervised by the Council for Radio and Television Broadcasting (RRTV). Determining when online creators fall within this regulatory regime has raised practical challenges, particularly in distinguishing between platform hosting services and professional audiovisual content providers.

A further challenge relates to the implementation of the Digital Services Act. Although the Czech Telecommunications Office (CTO) has been designated as the national Digital Services Co-ordinator, the necessary implementing legislation has been delayed.

The Czech Republic has not introduced a standalone digital services tax. Digital revenues are therefore taxed under general VAT and corporate income tax rules.

VAT

The Czech Republic follows the EU VAT framework (VAT Directive 2006/112/EC), implemented by the Value Added Tax Act (Act No. 235/2004 Coll.). Telecommunications, radio and television broadcasting services, and electronically supplied services (including SaaS, digital platforms and downloadable content) are treated as services for VAT purposes. The standard VAT rate is 21%.

For VAT purposes, the place of supply depends primarily on the customer’s status and location:

• B2B supplies are taxed where the customer is established (reverse charge mechanism); and
• B2C supplies of digital services are taxed where the consumer resides.

Where the EU-wide EUR10,000 annual threshold for cross-border B2C supplies is exceeded, VAT must be accounted for in the consumer’s member state. Businesses commonly use the One Stop Shop (OSS) regime for simplified cross-border reporting.

Corporate Income Tax

Czech tax-resident companies are subject to corporate income tax at 21% on worldwide income, including income derived from digital activities. Non-resident companies may become subject to Czech taxation if they create a permanent establishment in the Czech Republic, subject to applicable double tax treaties.

Sector-Specific Levies

A sector-specific contribution applies in the audiovisual sector. Effective from 1 January 2025, streaming (VOD) platforms operating in or targeting the Czech market are subject to a combined obligation of up to 3.5% of their Czech-generated revenues, consisting of a mandatory levy to the State Audiovisual Fund and direct investment in Czech audiovisual production.

Challenges

Key compliance challenges include:

• determination and documentation of customer location for B2C digital services;
• managing OSS and cross-border VAT reporting;
• assessing permanent establishment risks in digital business models;
• qualification of cross-border payments (eg, software licences, cloud services) for withholding tax purposes; and
• transfer pricing of intragroup digital service arrangements within multinational groups.

The Czech Republic has not introduced a specific digital advertising tax.

Compliance

In the digital advertising sector, compliance requires particular attention to:

• the allocation of advertising revenues within multinational platform structures;
• transfer pricing of intragroup marketing and advertising arrangements; and
• demonstrating the economic substance and business benefit of advertising expenses for corporate income tax deductibility.

Recent case law confirms that tax authorities expect taxpayers to demonstrate not only formal invoicing of advertising services but also their actual performance and business relevance. Proper contractual structuring and documentation are therefore essential.

Consumer protection in the Czech digital economy is primarily governed by:

• the Consumer Protection Act;
• the Civil Code;
• the Electronic Communications Act; and
• the Act on Certain Information Society Services.

The Civil Code contains specific provisions governing contracts for the supply of digital content and digital services. Consumer protection applies even where the consumer provides personal data instead of monetary remuneration, unless such data is processed solely to supply the service or comply with legal obligations.

Providers must ensure that digital content remains in conformity with the contract, including providing necessary updates (including security updates) for the agreed or statutory period.

The Civil Code also imposes mandatory pre-contractual information obligations, including disclosure of key characteristics, pricing, withdrawal rights, complaint procedures, functionality, compatibility, interoperability and update policies.

Consumer Complaints Resolution and Dispute Resolution

Consumer complaints are resolved through a combination of statutory complaint procedures, regulatory supervision, alternative dispute resolution (ADR) and civil courts.

The Consumer Protection Act establishes the procedural framework and empowers the Czech Trade Inspection Authority (Česká obchodní inspekce) to supervise compliance and impose fines. In the electronic communications sector, certain disputes fall under the competence of the Czech Telecommunication Office (Český telekomunikační úřad).

Consumers may also use statutory ADR mechanisms, and businesses must inform consumers about these options and co-operate where applicable. Judicial remedies before civil courts remain available.

If personal data issues arise (eg, profiling or targeted advertising), complaints may also be filed with the Office for Personal Data Protection (ÚOOÚ) under the GDPR. For online platforms and intermediaries, the Digital Services Act adds notice-and-action and transparency duties that may shape complaint-handling processes.

Best practices include:

• providing clear and accessible pre-contractual information (in a durable text form);
• implementing effective withdrawal and complaint-handling procedures, and responding within statutory deadlines; and
• ensuring timely updates and defect remediation.

Crypto-assets and blockchain technologies have materially altered the regulatory environment for TMT businesses in the Czech Republic by bringing certain technology-driven activities within the scope of financial services regulation. Technology vendors supplying infrastructure for crypto platforms may qualify as ICT third-party service providers under the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). This requires traditional IT and outsourcing contracts to incorporate enhanced security, audit and incident-reporting provisions.

The primary regulatory framework is the EU Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114), directly applicable since 2024. In the Czech Republic, the Digitalisation of the Financial Market Act (Act No. 31/2025 Coll.) designates the Czech National Bank (CNB) as the competent supervisory authority for crypto-asset service providers (CASPs). As a result, companies operating crypto platforms, custody services, exchanges or token issuance models are subject to financial regulation, AML supervision and operational resilience requirements. This represents a substantial shift from the previously lightly regulated environment.

The applicable regime depends on the nature of the asset:

• MiCA applies to most fungible crypto-assets and related services (exchanges, custody, issuance);
• MiFID II/the Czech capital markets law applies where tokens qualify as financial instruments;
• the AML Act (Act No. 253/2008 Coll.) applies to certain virtual assets and service providers outside MiCA; and
• purely non-transferable or closed-loop tokens (eg, some in-game assets) typically fall outside financial regulation.

Opportunities include the following.

• Tokenisation under the DLT Pilot Regime (2022/858) enabling the use of blockchain-based market infrastructure. The Czech Central Securities Depository is authorised to operate a settlement system under the DLT framework, allowing local entities to experiment with the tokenisation of real-world assets, such as bonds and equities.
• European passporting under MiCA, allowing crypto-asset service providers authorised in one member state to offer services across all EU member states.
• Favourable tax treatment, including capital gains tax exemption for crypto-assets held for more than three years, thereby aligning the tax treatment of crypto-assets with that of traditional financial instruments.

Key legal challenges include the following.

• Correct legal classification of tokens, as misclassification may trigger licensing obligations and regulatory sanctions.
• Significant regulatory burden for CASPs under MiCA, DORA (requiring banking-grade IT security) and the Transfer of Funds Regulation (2023/1113), which enforces the “Travel Rule” mandating the identification of both parties in crypto transactions.
• The core “privacy paradox” of the digital economy lies in the friction between blockchain immutability and data protection standards, particularly the GDPR right to erasure (as the data written to a blockchain is technically impossible to delete).

The Czech Republic does not have a standalone law governing cloud or edge computing. Instead, cloud and edge services are regulated through a combination of cybersecurity, data protection and sector-specific legislation, including:

• the Cybersecurity Act (Act No. 264/2025 Coll.), implementing the NIS2 Directive;
• the Public Administration Information Systems Act (Act No. 365/2000 Coll.), for public sector IT systems;
• the Act on Personal Data Processing (Act No. 110/2019 Coll.), together with the GDPR; and
• the EU Data Act, applicable to data processing services, including cloud and edge providers.

The Cybersecurity Act introduced a two-tier regime for regulated entities (higher-obligations regime and lower-obligations regime), imposing risk-management, incident-reporting and governance obligations depending on the entity’s classification. Supervision is exercised by the National Cyber and Information Security Agency (NÚKIB).

The EU Data Act also affects cloud services by introducing interoperability and data portability requirements designed to reduce vendor lock-in.

There are currently no binding industry-wide codes of conduct specific to cloud computing under Czech law.

Restrictions in Regulated Industries

Certain sectors are subject to stricter requirements when using cloud services.

In the financial sector, DORA imposes enhanced ICT risk-management, outsourcing and contractual obligations. Financial institutions supervised by the CNB must ensure appropriate audit rights, exit strategies and business continuity arrangements when engaging cloud providers.

Moreover, public authorities and operators of essential services are subject to NÚKIB’s cloud classification and security-level rules (including a public catalogue of acceptable cloud services). These rules impose stricter technical and contractual controls on confidentiality, integrity and availability.

Personal Data Processing in Cloud Computing

Personal data processing in cloud environments is governed primarily by the GDPR and the Act on Personal Data Processing. The Czech Office for Personal Data Protection emphasises that the use of cloud services does not reduce the controller’s responsibility under the GDPR and highlights several specific challenges.

• Controller-processor relationship: in most cloud arrangements, the customer acts as controller and the cloud provider as processor. Controllers must ensure that data processing agreements comply with Article 28 of the GDPR. Cloud providers may, however, act as independent controllers in relation to their own operational data (eg, billing information, service logs or security monitoring data).
• Risk assessment and data protection impact assessment (DPIA): before migrating personal data to the cloud, controllers are expected to conduct an adequate risk assessment and, where required, perform a DPIA under Article 35 of the GDPR. Particular attention should be paid to data location, sub-processing chains and the overall level of protection afforded to the data.
• International data transfers: the use of non-EU cloud providers may trigger cross-border data transfer rules under Chapter V of the GDPR.
• Ensuring adequate security measures: the Czech Office for Personal Data Protection emphasises the risk associated with the lack of physical control over data. Controllers must ensure appropriate technical and organisational measures under Article 32 of the GDPR, including encryption, access controls and incident response mechanisms.

The primary legal framework governing artificial intelligence in the Czech Republic is the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which establishes a risk-based regime distinguishing between prohibited AI practices, high-risk AI systems and lower-risk AI applications. The regulation imposes obligations on providers and deployers of AI systems, including transparency, conformity assessment and human oversight.

At the national level, the Ministry of Industry and Trade has prepared a draft AI bill to establish the institutional and enforcement framework for the application of the AI Act in the Czech Republic.

In 2025, the High Court in Prague authorised the use of a high-risk AI system involving biometric identification cameras at an international airport. The decision confirmed that biometric surveillance interferes with privacy and data-protection rights, but may be justified by a legitimate public security interest.

The CTO is expected to act as the national single point of contact and a lead supervisory authority for AI Act enforcement, with sector-specific regulators retaining competence in their respective areas.

There is currently no binding industry-wide AI code of conduct in the Czech Republic, although voluntary initiatives promoting responsible AI use have emerged. For example, the Czech AI Association (ČAUI) introduced an AI Ethical Code intended for political parties, coalitions, candidates, etc, providing a concrete framework for the responsible and transparent use of new technologies in election campaigns.

Protection Against Deepfakes

The Czech legal system does not contain a specific legal framework regulating deepfake technologies. Misuse of deepfakes is addressed through civil and criminal law protections.

Civil law protection of a person’s likeness, image and voice is provided under the Civil Code. Unauthorised use of a person’s image or voice can constitute an infringement of personality rights and may give rise to remedies such as injunctive relief and compensation for non-pecuniary harm.

In addition, an amendment to the Criminal Code (Act No. 40/2009 Coll.), effective from 1 January 2026, introduced a criminal offence covering the production or dissemination of pornographic or intimate material created using another person’s likeness without consent.

AI in Transport and Logistics

Automated driving is regulated primarily by Regulation (EU) 2019/2144 (General Safety Regulation) and the Road Traffic Act (Act No. 361/2000 Coll.). There is a regime for SAE Level 3 automated vehicles, allowing their operation on public roads under defined conditions while requiring the driver to remain ready to resume control. The Czech Republic has thereby become one of the first countries in Europe, alongside Germany, to legally permit the operation of Level 3 autonomous vehicles on public roads. Work on the legal framework for Level 4 and Level 5 automated driving systems has already begun.

The operation of unmanned aircraft systems (drones) is governed by EU aviation rules, in particular Commission Implementing Regulation (EU) 2019/947, and is supervised by the Civil Aviation Authority of the Czech Republic (Úřad pro civilní letectví). Drone operations are classified into three categories (Open, Specific and Certified), with requirements varying based on the risk level of the operation. Operators must register with the Civil Aviation Authority, and commercial operations may require specific authorisations or certifications depending on the category. There is currently no specific legal framework for autonomous drone delivery services in the Czech Republic, although such operations would fall under the Certified category of the EU UAS Regulation and would require individual type certification and operational approval.

Liability, Insurance and Transversal Legal Elements

There is currently no specific mandatory insurance regime for AI providers, although regulatory discussions continue regarding potential insurance requirements for high-risk AI.

In the field of intellectual property, Czech case law confirms that AI-generated works without sufficient human creative input may not qualify for copyright protection, reflecting the requirement of human authorship under Czech copyright law. The court noted that a text prompt may amount to no more than an idea or theme, which is not protectable under the Czech Copyright Act.

Where AI systems process personal data, their deployment must comply with the GDPR and the Czech Personal Data Processing Act, including DPIAs for high-risk AI processing (Article 35 of the GDPR), transparency and explainability of automated decision-making (Article 22), and implementing data protection by design and by default (Article 25).

The Czech Republic does not have a specific law governing the internet of things (IoT). Instead, IoT deployments are regulated through a combination of electronic communications, data protection and cybersecurity laws, and EU product and data regulations.

Key applicable laws are:

• the Electronic Communications Act;
• the GDPR, with the Czech implementing Data Processing Act;
• the Cybersecurity Act; and
• EU product and data legislation affecting connected devices, such as the Radio Equipment Directive (2014/53/EU), the Data Act and the Cyber Resilience Act (Regulation (EU) 2024/2847).

Machine-to-Machine Communication

Machine-to-machine (M2M) communications carried over public electronic communications networks are legally treated as electronic communications. As a result, IoT connectivity falls within the regulatory framework applicable to network operators, including obligations relating to network security, non-discrimination, interoperability and the establishment of lawful access interfaces. M2M connectivity is also subject to national spectrum management and licensing rules governing the use of radio frequencies.

Communications Secrecy and Metadata Retention

Czech law protects the confidentiality of communications and associated traffic and location data. Access by public authorities is permitted only under statutory conditions.

In 2026, the Czech Supreme Court held that the blanket retention of electronic communications metadata is incompatible with EU law, particularly the ePrivacy framework as interpreted by the Court of Justice of the EU. The case concerned the mandatory six-month retention of traffic and location data of virtually all users of electronic communications services. Although the relevant legislation formally remains in force, the decision raises questions regarding the broad retention of communications metadata, including machine-generated IoT traffic and location data.

Data Protection

Personal data generated by IoT devices is governed by the GDPR and the Act on Personal Data Processing. IoT devices frequently process personal data such as device identifiers, location data and behavioural usage patterns, and in some cases special categories of data (eg, health data from wearables).

Controllers deploying IoT solutions must implement data protection by design and by default, conduct DPIAs where required, and ensure transparency regarding data processing.

There are currently no specific industry-wide codes of conduct for IoT under Czech law.

Companies deploying IoT solutions in the Czech Republic face compliance challenges arising from the overlap of electronic communications regulation, data protection, cybersecurity and EU product legislation.

In practice, most challenges arise in relation to:

• data protection compliance, as IoT telemetry often constitutes personal data (eg, device identifiers, location data and behavioural metrics);
• ensuring transparency and valid user consent;
• implementing data minimisation and security measures for large volumes of automatically generated data; and
• addressing product cybersecurity and life cycle obligations applicable to connected devices.

The Czech Republic has no specific national legal regime governing data sharing by IoT companies. Legal requirements in this area follow the EU Data Act (Regulation (EU) 2023/2854).

Accordingly, manufacturers and providers of connected products and related services must ensure users can access and retrieve data generated by connected products, in a structured, commonly used and machine-readable format, free of charge and, where technically feasible, continuously and in real time. Data holders must also provide pre-contractual information on what data is generated, how it is stored and under what conditions it may be shared with third parties.

The Data Act applies based on the role an entity performs in relation to connected products and the data they generate (eg, manufacturer, data holder, user or data recipient), rather than on turnover thresholds. However, micro and small enterprises (fewer than 50 employees and annual turnover or balance sheet total not exceeding EUR10 million) are exempt from the data sharing obligations under Chapter II of the Data Act, provided they are not part of a larger corporate group nor acting as a subcontractor for a larger enterprise. Medium-sized enterprises benefit from a transitional exemption for one year after ceasing to qualify as an SME.

Outside these exemptions, the Data Act applies to all entities performing a relevant function, regardless of turnover or size. The Data Act also applies to foreign companies that place connected products on the EU market or otherwise target EU customers.

Specific Categories of Data

The Czech Republic does not introduce additional categories of data under the Data Act framework. The regulation applies equally to personal and non-personal data.

In addition, the Data Governance Act establishes a framework for data intermediation services and voluntary data sharing, which may support IoT data ecosystems but does not impose direct data sharing obligations.

The competent regulatory authority for audiovisual media services is the Council for Radio and Television Broadcasting (RRTV).

Traditional Broadcasting (Linear TV and Radio)

Traditional broadcasting is governed by the Broadcasting Act (Act No. 231/2001 Coll.). Terrestrial broadcasting requires a licence granted by the RRTV through a competitive public procedure, usually following confirmation of frequency availability by the Czech Telecommunication Office (ČTÚ). Applicants must demonstrate their financial, technical and organisational capacity to provide broadcasting services.

Cable, satellite and internet broadcasting are subject to a simplified registration (notification) procedure with the RRTV rather than a competitive licensing process.

Administrative fees for nationwide terrestrial licences are CZK90,000 (approximately EUR3,600) for television and CZK25,000 (approximately EUR1,000) for radio broadcasting.

On-Demand Audiovisual Media Services (VOD Platforms)

On-demand streaming platforms are governed by the On-Demand Audiovisual Media Services Act (Act No. 132/2010 Coll.). Unlike traditional broadcasting, VOD platforms do not require a broadcasting licence. Providers falling under Czech jurisdiction must simply notify the RRTV and are entered into a public register of service providers.

The key requirements are as follows.

• Providers must ensure that at least 30% of their total catalogue consists of European works, and these works must be given prominence on the platform.
• VOD platforms operating in or targeting the Czech market are subject to a combined obligation of up to 3.5% of their Czech-generated revenues, consisting of a mandatory levy to the State Audiovisual Fund and direct investment in Czech audiovisual production. Separately, cinemas and television broadcasters are required to contribute 2% of their respective revenues to the Czech Audiovisual Fund.
• Providers must implement technical measures (such as age-gating or PIN codes) to prevent minors from accessing adult or harmful content.
• Strict compliance with rules regarding product placement, sponsorship and an absolute ban on surreptitious commercial communications is required, ensuring viewers are never misled about the commercial intent behind the content.

Video-Sharing Platforms (VSPs)

Video-sharing platform services are regulated by the Video-Sharing Platform Services Act (Act No. 242/2022 Coll.), implementing the EU Audiovisual Media Services Directive.

Providers falling under Czech jurisdiction must notify the RRTV at least 15 days prior to the launch of the platform. The registration is free of charge. The notification must include a description of the protection measures the provider will implement, particularly measures designed to:

• protect minors from harmful content;
• prevent the dissemination of illegal content (eg, hate speech or terrorism-related material); and
• ensure transparency of commercial communications.

Platforms must also maintain mechanisms for users to report harmful content and handle such reports within statutory deadlines.

Audio Streaming Services

Pure audio streaming services generally fall outside audiovisual media regulation and are not subject to RRTV oversight. They typically qualify as information society services and are governed by general digital services and copyright law. No broadcasting licence or media registration is required, and providers usually operate under a standard trade notification regime. However, if a service offers a live, pre-scheduled stream of music that users cannot skip or control (similar to internet radio), it would trigger a mandatory notification for radio broadcasting via the internet with the RRTV.

The main regulatory issue in practice concerns copyright licensing, typically through collective management organisations such as OSA (representing authors of musical works) and INTERGRAM (representing performing artists and producers of sound and audiovisual recordings), and paying the respective fees, as well as licensing agreements with record labels for master rights.

Local telecommunications are governed by the Electronic Communications Act and supervised by the CTO.

The Act applies to services provided for remuneration through electronic communication networks, including:

• internet access services;
• interpersonal communication services, both number-based (traditional telephones) and number-independent (such as messaging apps like WhatsApp/Signal if provided as a service);
• signal transmission services (services consisting mainly in the conveyance of signals); and
• the provision of public communication networks (network infrastructure enabling signal transmission).

Market Entry Requirements

The Czech Republic operates a general authorisation regime rather than an individual licensing system. Providers of electronic communications services (except for number-independent interpersonal communication services) must notify the CTO before the activity commences. After notification, the provider may operate under the general authorisation framework. Providers must also notify the CTO of changes to registered information or the termination of activities, typically within one week. The notification fee is CZK1,000 (approximately EUR40), and CZK500 (approximately EUR20) for changes to registered data.

Telecommunications equipment placed on the market must comply with EU radio equipment and product conformity rules, implemented in Czech law through product safety and conformity legislation, in particular:

• the Act on Technical Requirements for Products (Act No. 22/1997 Coll.);
• the Act on Conformity Assessment of Specified Products (Act No. 90/2016 Coll.); and
• the Government Regulation on Conformity Assessment of Radio Equipment (No. 426/2016 Coll.).

Security Requirements Framework

The Electronic Communications Act requires providers to ensure the security and integrity of electronic communications networks and services. Providers must implement appropriate technical and organisational measures to manage security risks and protect the availability, authenticity, integrity or confidentiality of networks and transmitted data. Service providers must also establish technical interfaces enabling the lawful interception of communications by authorised authorities.

Telecommunications providers may also fall within the scope of the Cybersecurity Act (implementing the NIS2 Directive), which introduces additional cybersecurity and incident-reporting obligations for certain operators of essential or important services.

Net neutrality in the Czech Republic is governed primarily by the EU Open Internet Regulation (Regulation (EU) 2015/2120). National supervision and enforcement are carried out by the CTO under the Electronic Communications Act.

The Regulation requires internet access providers to treat all internet traffic equally, without blocking, throttling or prioritising specific content, applications or services. Traffic management measures are permitted only if they are transparent, proportionate, non-discriminatory and based on objective technical requirements, rather than commercial considerations.

Providers may also offer specialised services (such as IPTV, VoLTE or certain telemedicine services) that require a specific quality level, provided that sufficient network capacity exists and that the quality of the general internet access service is not degraded.

Impact on the Telecommunications Sector

The main practical impact of net neutrality rules in the Czech Republic concerns zero-rating practices, where data used by selected applications does not count towards a user’s data allowance. Following Court of Justice of the EU judgments in 2021 and 2022, such practices were found to be incompatible with the Open Internet Regulation. As a result, Czech operators discontinued zero-rating tariffs and migrated existing customers to compliant tariff structures by 2023.

Regulatory scrutiny now focuses on practices such as zero-rated access to operators’ own customer portals, which may still raise compliance concerns.

Limited Public Interest Exceptions

Recent amendments to the Electronic Communications Act introduced narrow exceptions allowing zero-rating for public interest services, particularly emergency communications. For example, access to certain emergency applications (such as the Záchranka rescue service app) may be exempt from data charges, to ensure users can contact emergency services even after exhausting their data allowance.

The integration of 5G, IoT and AI technologies in the Czech telecommunications sector is governed primarily by a combination of EU regulations and national legislation, including rules on spectrum management, data protection, cybersecurity and product regulation.

5G Networks

The rollout of 5G networks has required the allocation of additional spectrum bands, including 700 MHz and 3400–3600 MHz, through auctions conducted by the CTO. Spectrum licences are typically subject to coverage and deployment obligations, including the expansion of mobile connectivity in previously underserved areas and along key transport corridors.

IoT

IoT devices and connected equipment must comply with telecommunications and product regulation. In particular, devices that access or store information on terminal equipment must comply with Section 89 of the Electronic Communications Act, which requires prior user consent (the Czech implementation of the e-privacy “cookie” rule).

Connected devices must also comply with EU product and cybersecurity requirements, including the Radio Equipment Directive, which imposes security obligations for internet-connected radio equipment.

Artificial Intelligence

The EU Artificial Intelligence Act introduces obligations relating to transparency, risk management and market surveillance. In the Czech Republic, institutional supervision is expected to be clarified by forthcoming national implementing legislation.

AI technologies may also fall within the scope of the revised EU Product Liability Directive, which extends strict liability rules to defective software and AI systems, and will need to be transposed into national law by 9 December 2026.

Notable Considerations

Organisations entering into technology agreements in the Czech Republic operate in a generally contract-friendly legal environment, but several features of Czech private and regulatory law must be considered.

Contract structure and pricing

Under Czech law, unilateral price increases are generally not permitted without an explicit contractual mechanism. Agreements must therefore include clear price adjustment clauses, including notification periods and termination rights. Although the Civil Code allows renegotiation in cases of substantial change of circumstances (hardship), this provision is commonly excluded in B2B agreements.

Standard terms and adhesion contracts

Technology agreements are often concluded on the basis of standard terms and conditions, which may qualify as adhesion contracts under the Civil Code. Clauses that are unreasonably disadvantageous to the weaker party may be declared invalid, and surprising provisions in standard terms are ineffective unless expressly accepted by the other party. This requires careful drafting of supplier terms used in the Czech market.

Liability limitations

Czech law imposes mandatory limits on liability exclusions. Contractual clauses cannot exclude or limit liability for intentional misconduct or gross negligence, although liability caps are otherwise generally permitted in commercial contracts.

Data storage and data transfers

The Czech Republic does not impose general data localisation requirements, but certain sectoral rules may affect data storage arrangements. For example, tax records must remain accessible to Czech authorities, and personal data transfers must comply with the GDPR cross-border transfer regime.

Regulated Industries

Certain regulated sectors impose additional contractual requirements. In the financial sector, banks and other financial institutions must comply with banking secrecy rules under the Act on Banks (Act No. 21/1992 Coll.). Technology agreements involving the outsourcing of banking activities must therefore ensure appropriate safeguards, including confidentiality, security, incident reporting and audit rights.

Financial institutions are also subject to DORA, which introduces detailed requirements for ICT outsourcing arrangements, including governance, audit rights, data protection and exit strategies.

Companies providing technology services to regulated entities must ensure that their contractual frameworks comply with these sector-specific obligations.

Telecommunications services in the Czech Republic are regulated primarily by the Electronic Communications Act. Service agreements with end users must include a clear description of the services provided, pricing and tariff structure, billing arrangements, contract duration and termination conditions, and complaint procedures.

Contracts must also specify service quality parameters, including information on internet access speeds, as well as any compensation or refund mechanisms where agreed service levels are not met. Providers must inform end users about the possibility of out-of-court dispute resolution before the CTO.

Subscriber contracts must further address unilateral amendments, including the circumstances in which the provider may modify contractual terms and the subscriber’s right to terminate the contract without penalty with at least 30 days’ notice. Contracts must also guarantee the subscriber’s right to number portability free of charge.

For internet access services, providers must include a standardised contract summary in the format required under EU rules (BEREC), indicating minimum, normally available, maximum and advertised internet speeds.

Negotiating Favourable Terms

While consumer contracts are highly regulated, B2B telecommunications agreements are largely governed by contractual freedom under the Civil Code, subject to certain limitations such as the rules on adhesion contracts.

In practice, companies typically negotiate:

• service level agreements (SLAs) with measurable availability and response-time metrics;
• service credits or contractual penalties for SLA breaches;
• liability caps, noting that liability for intentional misconduct or gross negligence cannot be excluded; and
• price indexation clauses linked to objective indices (eg, inflation).

Companies should also consider clear exit and transition provisions, particularly for long-term telecommunications services.

Interconnection Agreements

Under the Electronic Communications Act, operators have a right and, where necessary, an obligation to negotiate interconnection to ensure end-to-end connectivity. Interconnection must be governed by a written agreement between the operators.

Operators may not refuse reasonable interconnection requests without justification. Where an operator has significant market power, the CTO may impose additional obligations, including non-discrimination, transparency, price controls and access to network elements. If negotiations fail, the CTO may intervene and determine the terms of access or interconnection.

Trust services and electronic identification in the Czech Republic are primarily governed by the eIDAS Regulation (Regulation (EU) No 910/2014), which applies directly across the EU. At the national level, the regulation is supplemented mainly by:

• the Act on Trust Services for Electronic Transactions (Act No. 297/2016 Coll.), which implements and complements eIDAS rules; and
• the Act on Electronic Identification (Act No. 250/2017 Coll.), which regulates the operation of the national electronic identification system and recognition of electronic identification means.

These laws regulate the provision of trust services, the use of electronic signatures, electronic seals and time stamps, and the supervision of qualified trust service providers (QTSPs).

Types of Electronic Signatures

• A qualified electronic signature (QES) provides the highest level of assurance and has the same legal effect as a handwritten signature. It requires a certified hardware device (like a USB token or smart card) and is used by public authorities.
• Advanced or recognised electronic signatures are widely used for electronic communication with public authorities and in commercial transactions.
• Simple electronic signatures are legally valid for private transactions, although their evidentiary value may be lower.
• Dynamic biometric signatures capture handwriting characteristics on digital devices and are commonly used in private sector transactions such as banking or retail services.
• Data boxes (datové schránky) are a specific Czech electronic communication system used for official communication with public authorities. Messages delivered through a data box have the same legal effect as registered mail and are widely used for communication with courts, administrative authorities and regulated entities.

Supervision and Digital Identity Schemes

The supervision of trust services is carried out by the Digital and Information Agency (DIA), which maintains the national Trusted List of qualified trust service providers and oversees compliance with eIDAS requirements.

Following the adoption of eIDAS 2 (Regulation (EU) 2024/1183), the DIA will also oversee the implementation of the European Digital Identity Wallet, which is expected to be introduced in the Czech Republic by 2026.

Liability and Insurance

Qualified trust service providers must maintain professional liability insurance to cover potential damage caused to users or third parties.

Under the Act on Electronic Identification, the supervisory authority may determine minimum insurance coverage requirements. The detailed calculation methodology is set out in Decree No. 409/2022 Coll., which links the minimum coverage to the number of users and the level of assurance provided.

The gaming industry operates under a framework of several key laws.

• The Copyright Act (Act No. 121/2000 Coll.) protects video games as copyright works, covering software code, graphics, music and other creative elements.
• The Audiovisual Act, as amended in 2025, now recognises video games as audiovisual works and allows developers to access public funding through the Czech Audiovisual Fund.
• The Consumer Protection Act mandates strict transparency for in-game monetisation. Sellers must display the lowest price of a digital product from the last 30 days, in order to prevent “fake” discounts. The Act also prohibits the use of fake or unverified user reviews.
• The Act on Personal Data Processing sets the age of digital consent at 15 years for online services, including online gaming platforms.
• The Act on Advertising Regulation (Act No. 40/1995 Coll.) restricts advertising practices targeting minors.

Online gaming platforms operating in the Czech Republic are also subject to EU legislation such as the Digital Services Act (Regulation (EU) 2022/2065), which imposes transparency and content moderation obligations, including enhanced protections for minors.

Industry Codes of Conduct

Although there is no mandatory statutory age-rating system for video games, the PEGI (Pan-European Game Information) rating system is widely used and recognised across Europe, including in the Czech Republic. Major digital distribution platforms typically require PEGI age ratings and content descriptors for game distribution. The PEGI Code of Conduct also promotes transparency regarding randomised in-game purchases (loot boxes), including disclosure obligations for paid random items.

At the industry level, organisations such as the Czech Game Developers Association (GDACZ) promote professional standards and industry self-regulation.

Key Legal Challenges

One of the main legal challenges concerns the regulatory classification of loot boxes and other randomised in-game purchases. Under the Gambling Act (Act No. 186/2016 Coll.), an activity qualifies as gambling if three elements are present:

• a monetary stake;
• an element of chance; and
• the possibility of a prize.

Loot boxes are not explicitly regulated and are therefore assessed on a case-by-case basis.

Where virtual items cannot be converted into real-world value or traded outside the game environment, they are generally considered not to meet the definition of gambling.

Age Ratings and Consumer Protection

While the PEGI system is not legally mandatory, it functions as the de facto standard for age classification of video games in the Czech market. Game developers must also comply with consumer protection and data protection rules, particularly where games involve in-game purchases, targeted advertising or the processing of personal data of minors.

The main supervisory authorities include the following.

• The Czech Trade Inspection Authority (Česká obchodní inspekce – ČOI) supervises compliance with the Consumer Protection Act and related civil law rules. In the gaming sector, it focuses primarily on the sale of digital content, including transparency of pricing, information obligations, and consumer rights in relation to digital products and in-game purchases.
• The Council for Radio and Television Broadcasting (RRTV) supervises certain online platforms under the Video-Sharing Platform Services Act, implementing the EU Audiovisual Media Services Directive. Its role is particularly relevant for gaming-related content distributed through video-sharing platforms or streaming services, including oversight of advertising practices and protection of minors.
• The Ministry of Finance (MFČR) acts as the regulator under the Gambling Act. It assesses whether certain gaming mechanics (such as loot boxes) may fall within the definition of gambling, and supervises licensed gambling operators.
• The Office for Personal Data Protection (ÚOOÚ) enforces the GDPR and the Act on Personal Data Processing, including the processing of player data, profiling and targeted advertising in online games.

Enforcement Powers

These authorities exercise enforcement powers through administrative proceedings under the Administrative Procedure Code (Act No. 500/2004 Coll.). Their powers include investigations, corrective measures and financial penalties. For example:

• the ČOI may impose fines of up to CZK5 million (approximately EUR200,000) for breaches of consumer protection rules;
• the ÚOOÚ may impose administrative fines under the GDPR, reaching up to EUR20 million or 4% of global annual turnover; and
• the Ministry of Finance may impose sanctions under the Gambling Act, including fines of up to CZK50 million (approximately EUR2 million) or the withdrawal of gambling licences.

Enforcement Trends

Domestic enforcement actions specifically targeting the gaming sector remain relatively limited. However, Czech authorities increasingly participate in EU-level co-ordinated enforcement actions.

A notable recent example involves the Consumer Protection Cooperation (CPC) Network, which examined practices in the game Star Stable Online. The investigation focused on potential consumer protection violations affecting minors, including:

• pressure techniques encouraging children to purchase virtual currency;
• time-limited offers influencing purchasing decisions;
• insufficient transparency regarding in-game currency; and
• inadequate disclosure of influencer marketing.

IP Ownership Challenges

A common challenge in the gaming industry concerns the ownership of intellectual property created by employees and external contributors. Under Czech copyright law, works created by employees within the scope of their employment qualify as employee works, meaning that the employer exercises the economic rights unless agreed otherwise. However, this regime is not absolute.

If a developer or artist creates a work outside the scope of their employment duties, they retain the economic rights even if the work was created using the employer’s equipment. For gaming studios, this makes it essential to clearly define the scope of creative activities in employment contracts, in order to avoid future disputes over assets such as character designs, source code or artwork.

This regime also has implications for M&A transactions involving game studios. The transfer of the employer’s exercise of economic rights to a third party (eg, in a studio sale) requires the consent of the employee-author. Studios therefore commonly include advance consent clauses in employment agreements, to ensure a clear transfer of rights during due diligence and acquisitions.

The legal framework differs for external contractors. Where an individual freelancer develops computer programs or databases on commission, the law provides a regime similar to employee works, allowing the commissioning party to exercise the economic rights. However, where the contractor is a legal entity (another company), no automatic transfer applies. In such cases, studios must rely on licence agreements or contractual arrangements to secure the necessary rights.

Ensuring a clear chain of title to all game components, including code, graphics and music, is therefore a key legal consideration for developers.

IP Protection in Virtual Environments

Creators can protect their digital assets through a combination of copyright enforcement, contractual terms and technological protection measures. Authors retain moral rights, including the right to object to distortion or misuse of their works. Developers also commonly rely on digital rights management (DRM) and platform notice-and-takedown procedures to address copyright infringement.

Contractual mechanisms, particularly End-User Licence Agreements (EULAs), play an important role in defining how game assets may be used by players and third parties.

User-Generated Content

User-generated content (UGC), such as game modifications (“mods”), raises additional intellectual property issues. Developers typically regulate UGC through their EULAs or platform rules, which specify whether players may create derivative works and under what conditions.

In many cases, users retain rights to their creations but grant the developer a broad licence to use, modify or distribute the content, while the commercial exploitation of such content is often restricted.

For example, the popular Czech-developed title Kingdom Come: Deliverance II allows users to create fan modifications under specific conditions. Players retain ownership of their modifications but grant the developer a royalty-free licence to use or distribute the content. Commercial exploitation of such mods is generally prohibited unless expressly authorised, and creators remain responsible for ensuring that their content does not infringe third-party intellectual property rights.

Trade Marks and Virtual Goods

Game titles, logos and character names may be protected as trade marks, including in relation to virtual goods and digital services offered within games or online platforms. Trade mark law therefore applies not only to traditional physical goods but also to virtual items and in-game branding, particularly where such assets are commercially exploited.

In the Czech Republic, the regulation of social media is shaped primarily by EU legislation, complemented by national laws. At EU level, the Digital Services Act imposes obligations on online platforms regarding illegal content, notice-and-action mechanisms, transparency of advertising, and enhanced duties for very large platforms. The GDPR, together with the Personal Data Processing Act, governs the processing of personal data, including profiling and targeted advertising. Under Section 7 of the Personal Data Processing Act, children under 15 cannot validly consent to information society services, which directly affects social media registrations and data monetisation models.

At national level, the Act on Certain Information Society Services (Act No. 480/2004 Coll.) regulates intermediary liability and commercial communications. The Act on Electronic Communications Act imposes confidentiality obligations and requires opt-in consent for non-essential cookies and electronic marketing. Copyright protection is governed by the Copyright Act which, following the implementation of the DSM Directive, increases the responsibility of certain online platforms for user-uploaded infringing content. Advertising practices are further regulated by the Act on Advertising Regulation.

Self-regulation also plays an important role in the Czech social media environment. The Code of Advertising Practice issued by the Czech Advertising Council requires transparent identification of sponsored content, including influencer marketing. In addition, marketing associations and academic institutions have adopted the “Code of Fair Influencer”, which establishes ethical standards for influencer marketing transparency; it requires clear labelling of sponsored content and addresses areas such as political influencer marketing, AI-generated content and advertising targeting minors.

There is no dedicated regulatory body exclusively overseeing social media platforms. The regulatory oversight is fragmented.

Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOÚ)

The ÚOOÚ is the primary authority responsible for data protection compliance under the GDPR and the Act on Personal Data Processing. It is also responsible for supervising electronic marketing under the Act on Certain Information Society Services.

The ÚOOÚ has investigative powers, including audits and inspections. It may order corrective measures (such as suspension of processing), and can impose administrative fines of up to EUR20 million or 4% of global annual turnover under Article 83 of the GDPR.

Czech Telecommunication Office (Český telekomunikační úřad – CTO)

The CTO supervises compliance with the Electronic Communications Act, and has carried out enforcement actions against operators for unlawful telemarketing and improper use of tracking technologies.

Czech Trade Inspection Authority (Česká obchodní inspekce – ČOI)

The ČOI oversees compliance with consumer protection rules under the Consumer Protection Act and the Civil Code. In the social media context, it focuses particularly on misleading online advertising and influencer marketing practices. The authority may conduct inspections, impose fines and order the cessation of unlawful practices. Fines for breaches of consumer protection rules may reach CZK5 million.

Council for Radio and Television Broadcasting (RRTV)

The RRTV supervises video-sharing platforms under the Video-Sharing Platform Services Act, implementing the AVMS Directive. Its role includes oversight of protection of minors, commercial communications and age-verification measures on platforms hosting user-generated video content.

Data privacy in the telecommunications sector in the Czech Republic is governed by a combination of EU and national legislation. The primary framework consists of the GDPR and the Personal Data Processing Act.

Sector-specific rules include:

• the Electronic Communications Act (Act No. 127/2005 Coll.), which regulates the processing of traffic and location data, and establishes specific rules for cookies, telemarketing and confidentiality of communications; and
• the Cybersecurity Act (Act No. 264/2025 Coll.), implementing the NIS2 Directive, which imposes risk-management, incident reporting and supply-chain security obligations on telecom operators classified as essential entities.

Key Privacy Challenges

Telecommunications providers process large volumes of traffic and location data, which creates significant compliance challenges. Under the GDPR and the Electronic Communications Act, the processing of such data beyond what is necessary for service provision or billing generally requires explicit user consent. Operators must also comply with the data minimisation principle, which can be difficult in modern networks that generate extensive metadata.

Telecom operators must also operationally support data subject rights, including access, portability, erasure and objection, which requires dedicated internal procedures and technical systems.

Cross-Border Data Transfers and Localisation

Cross-border transfers of personal data follow the standard GDPR framework. Transfers within the EEA are unrestricted, while transfers to third countries require:

• an adequacy decision;
• appropriate safeguards (most commonly Standard Contractual Clauses); or
• a specific derogation under Article 49 of the GDPR.

Lawful Interception and Privacy

Telecom operators must enable lawful interception of communications for law enforcement and intelligence services under the Electronic Communications Act and the Criminal Procedure Code.

At the same time, Czech case law has increasingly emphasised privacy safeguards. In January 2026, the Czech Supreme Court confirmed that indiscriminate retention of traffic and location data for six months (as required by Section 97(3) of the Electronic Communications Act) is incompatible with EU law, reflecting CJEU jurisprudence. Legislative reform is therefore expected to replace blanket data retention with more targeted retention mechanisms.

Third-Party Vendors and Cloud Providers

Telecom providers rely extensively on third-party vendors and cloud service providers for network infrastructure, data processing and service delivery.

Under the Cybersecurity Act and the GDPR, operators must assess the security and compliance of suppliers, conclude appropriate data processing agreements, and monitor supply-chain risks. Where telecom operators provide services to regulated sectors such as financial institutions, they may also fall within the scope of DORA as ICT service providers. The provision of cloud services to public authorities is governed by Decree No. 412/2025, which requires cloud service providers to undergo a rigorous certification process to be included in the Cloud Computing Catalogue.

Impact on Infrastructure and Innovation

Evolving privacy and cybersecurity rules increasingly affect telecom network architecture and service development. For example:

• the move from blanket to targeted data retention requires a redesign of data storage and access systems;
• supply-chain security requirements may restrict the use of certain vendors; and
• technologies such as 5G and edge computing increase the number of points where personal data is generated and processed, requiring stronger privacy-by-design measures in network design.

Protecting User Data and Managing Consent

Digital media platforms face significant operational challenges when managing large volumes of user data, particularly in relation to consent management, security and the protection of minors.

A current regulatory issue concerns “consent-or-pay” models, where users must either consent to behavioural advertising or pay for an ad-free version of the service. Following guidance from the European Data Protection Board (EDPB), the Czech data protection authority (ÚOOÚ) has indicated that such models may not satisfy the requirement for freely given consent if users are not offered a genuine privacy-friendly alternative.

Platforms must also address age-related privacy risks, including verification of users’ age and the implementation of privacy-by-default settings for minors. Particular scrutiny has been placed on the use of interface design techniques (“dark patterns”) that could influence users – especially children – to share more personal data than necessary.

Privacy-By-Design and Security-By-Design

Digital media providers increasingly integrate privacy-by-design and security-by-design principles, including limiting the collection of personal data to what is strictly necessary, applying privacy-protective default settings, and embedding security controls directly into system design.

Third-Party Data Sharing

Digital media platforms commonly rely on complex ecosystems of advertising partners, analytics providers and technology vendors. Data sharing with such partners creates significant compliance risks, particularly where third-party tracking technologies are deployed. Key challenges include:

• ensuring that cookies, SDKs and tracking pixels comply with opt-in consent requirements under the Electronic Communications Act;
• clearly allocating responsibilities between controllers, joint controllers and processors; and
• managing extensive chains of sub-processors and ad-tech intermediaries.

These risks are typically addressed through detailed data processing agreements, contractual restrictions on data use, and technical controls limiting access to personal data.

Impact of Cybersecurity Regulation

Recent cybersecurity legislation has increased the regulatory burden on digital platforms operating in the Czech Republic. The Cybersecurity Act, implementing the NIS2 Directive, expands security obligations for certain digital service providers. Where platforms fall within its scope, they must implement risk-management frameworks, incident reporting procedures and supply-chain security measures. Contracts with cloud providers, infrastructure operators and software vendors must include provisions on security standards, incident notification, audit rights and vendor risk management.