The Evolution of the Fintech Market in the Czech Republic in 2024

After a challenging 2023, the fintech market showed encouraging signs of recovery in 2024. Although start-up investments hit their lowest level since 2020, the total volume grew year-on-year, reflecting a renewed confidence in the sector’s potential. This period of recalibration has also fostered a healthier focus among fintech companies on sustainable growth and profitability, aligning with the evolving priorities of investors who are now channelling larger amounts into high-potential ventures. Despite the lingering effects of the 2023 crisis, the sector is demonstrating resilience and adaptability, with many fintechs finding innovative ways to thrive in a more selective and strategically driven investment landscape.

Among the year’s trends, artificial intelligence (AI) clearly triumphed. Some new start-ups based their businesses on AI, and established fintechs are either testing AI or already have it in place and are exploring ways to make better use of it. The importance of AI was underscored by Flowpay, named fintech of the year, for which AI is an integral part of its business.

Technologies in the defence sector and quantum technologies also gained attention. The fund for technology start-ups was launched in the Czech Republic by NATO, whose accelerator DIANA is intended to support so-called dual-use technologies.

Issues That are Likely to Affect the Fintech Market in the Czech Republic in 2025

Cybersecurity and other use cases of AI can be expected to be key topics in the fintech market in 2025, including AI transformation involving operational optimisation and AI-enabled improvements to customer services and products. The reasons include the growing risks of cyber-attacks, largely related to the advent of AI, as well as investor pressure for sustainability and efficient use of capital.

Legal and ethical challenges will also grow, particularly under the new AI Act, enforcing stricter requirements for transparency, accountability, privacy and effective risk management systems.

From a regulatory perspective, fintechs will need to comply with the requirements of new legislation, like MiCA (Regulation 2023/1114) for crypto-assets markets, and DORA (Regulation 2022/2554), which imposes information and communication technology (ICT) obligations across the financial sector.

Fintech companies cover various business models, dominated by payment (eg, mobile-based payment services, QR codes, payment terminals or models combining affiliate marketing with philanthropy), personal finance and savings (eg, income and expenses monitoring, buy now pay later or pay anytime solutions) and accounting and cashflow verticals (eg, automated accounting, online invoice financing).

Cryptocurrency platforms (eg, exchanges, trading or savings) and online broker verticals (mainly comparators and insurance and other financial products intermediaries) are also very popular. These, along with the investment verticals, welcomed the highest number of new players in the fintech scene over the course of 2024.

Finally, insurtech and peer-to-peer investments, including lending and investment crowdfunding platforms, are also well represented. However, only five companies so far hold a licence under the Crowdfunding Regulation for lending-based models, and one company holds a licence for investment-based models.

Although the local fintech market is dominated by start-ups, some legacy players, such as large banking or investment groups, are also active in the sector. While some of them have set up fintech companies to offer innovative solutions in-house, others provide these services by partnering with fintech players.

The regulatory regime applicable to industry participants in the Czech Republic depends on the particular business model. The main laws applicable under the existing financial services regulatory framework are as follows.

• Payment service providers and e-money institutions are regulated by the Czech Payment Services Act (the “PSA”), which implements PSD2 (Directive 2015/2366) and EMD2 (Directive 2009/110/EC).
• Investment firms and investment intermediaries are governed by the Act on Capital Market Business (the “CMBA”), which implements or adapts the legal system in the Czech Republic to a wide range of EU legislative acts such as MiFID II (Directive 2014/65/EU), MiFIR (Regulation 600/2014), the Prospectus Regulation (Regulation 2017/1129), MAR (Regulation 596/2014), DORA, MiCA, the DLT Pilot etc.
• Investment funds and management companies are subject to the Act on Management Companies and Investment Funds (the “AMCIF”), which implements AIFMD (Directive 2011/61/EU) and UCITS (Directive 2009/65/EC).
• Lending-based and investment-based crowdfunding providers are regulated by the Crowdfunding Regulation.
• Insurance companies and insurance intermediaries are subject to the Insurance Act and the Insurance and Reinsurance Distribution Act.
• Consumer credit originators and intermediaries are subject to the Consumer Credit Act.
• Most of the crypto-asset service providers are regulated by MiCA.
• AML/CFT requirements are laid down in the Act on Certain Measures against the Legalisation of the Proceeds of Crime and the Financing of Terrorism, which implements the fourth AML Directive (Directive 2015/849/EU) (as amended) and in the Act on the implementation of international sanctions, which will be subject to a major overhaul in the coming years in the context of the EU AML/CFT package adopted in 2024.
• The directly applicable EU regulations including the MiFIR, Prospectus Regulation, MAR, DORA, MiCA, the DLT Pilot etc.

The types of compensation models in the financial industry in the Czech Republic depend on the regulatory status, service type and customer category. Different business models are subject to distinct regulatory requirements, including disclosure obligations.

Compensation Models

The most common models in investment services are the commission-based and fee-based models, depending on whether the fees are paid by product providers or customers. In payment services, fee-based models dominate, with fees charged either per transaction or on a recurring basis, or a combination thereof.

Disclosure and Other Obligations Related to Compensation Models

In general, regulated entities (eg, payment institutions or investment firms) must meet pre-contractual and ongoing information requirements, including full fee disclosure. The disclosure obligation is stricter when the recipient of the service is a consumer, as a result of local legislation implementing EU consumer protection law (eg, the Consumer Credit Directive (Directive 2008/48/EC) or the Distance Marketing of Consumer Financial Services Directive (Directive 2002/65/EC). Regulated entities are usually also subject to conflicts of interest rules, which may affect the compensation models used.

Furthermore, specific rules apply to the provision and receipt of inducements. These rules aim to ensure that the service provider acts in the best interests of the customer and avoids conflicts of interest.

In the field of investment services, including some pension products, an inducement received from or provided to third parties other than customers is only permissible if:

• it is intended to contribute to improving the quality of the service/product provided; or
• it facilitates the provision of the service or is necessary for that purpose, provided that it is properly disclosed and it does not conflict with the service provider’s obligation to act in the customer’s best interest.

In addition, inducements will be excluded, subject to exceptions, in the case of investment advisory services provided independently or portfolio management services.

In line with technological neutrality, the Czech Republic has no specific fintech regulation. Fintech companies must comply with relevant rules applicable to legacy players if they fall under specific regulations.

In 2024, the Czech Republic launched its first fintech and decentralised finance (DeFi) sandbox to accelerate the development of an innovative fintech ecosystem. The sandbox offers a dedicated space for legal and technical testing of new fintech solutions in regulated industries.

It is open to SMEs with innovative solutions requiring sandbox testing to clarify their regulatory status and/or who need access to datasets to determine the functioning, usefulness and viability of the tested solution. The solution must be beneficial for the financial market in the Czech Republic, sustainable and have growth potential.

Selected participants receive indirect support, mainly in the form of regulatory testing, business mentoring or other advisory services. They also have the opportunity to engage with public authorities and independent experts and discuss the regulatory aspects of the proposed solution to ensure it complies with the applicable regulation.

The sandbox is a pilot project that may inspire similar initiatives in other areas (eg, AI).

The Czech National Bank (the “CNB”) regulates all financial industry participants and oversees them from prudential and conduct of business perspectives. In addition to the CNB, the Financial Analytical Office (the “FAO”) handles AML/CFT supervision and does so jointly with the CNB when it comes to financial service providers.

Authorities in the Czech Republic also co-operate with European regulators such as the European Central Bank (the “ECB”), the European Banking Authority (the “EBA”), the European Securities and Markets Authority (the “ESMA”) and the European Insurance and Occupational Pensions Authority (the “EIOPA”), which oversee specific areas and directly supervises certain entities.

It is not common for the CNB or other regulators in the Czech Republic to issue “no-action” letters.

Outsourcing of regulated functions to external service providers is permitted provided that the relevant regulatory requirements are met. While specific rules depend on the activity and its scope (eg, investment or payment services), general principles stem mainly from MiFID II, PSD2, relevant outsourcing guidelines adopted at EU level, such as the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403), and the implementing domestic laws.

In general, regulated entities must assess outsourcing risks beforehand through due diligence to ensure the provider has the necessary skill, experience and resources. They must also maintain a written outsourcing policy and ensure arrangements do not compromise their legal obligations or supervision by the authorities. A written contract with mandatory provisions (eg, data security, audit rights, termination clause) is required, with stricter rules for critical functions like risk management, ICT or AML.

From January 2025, new ICT outsourcing rules, including third-party risk monitoring, will apply to most regulated financial institutions.

In general, fintech providers’ liability arises from AML/CFT legislation, as most fintech activities fall within its scope. Providers must comply with requirements like customer identification, due diligence and monitoring of customer relationships.

Additionally, large fintech companies may be subject to additional obligations if designated as a “gatekeeper” under the Digital Markets Act (the “DMA”) (Regulation 2022/19).

The CNB can impose various sanctions, with the most significant being the revocation of licences for inactivity over six months or serious legal breaches. In recent years, the CNB has sanctioned fintech companies for violations related to investment funds and management companies, investment and payment services and AML/CFT rules. The CNB also publishes all or some of its decisions, using “naming and shaming” to increase transparency.

Data Protection

Regardless of the sector, fintech companies that process personal data must comply with the GDPR (Regulation 2016/679) and the ePrivacy Directive (Directive 2002/58/EC). In some cases, they must also comply with the Data Act (Regulation 2023/2854), which focuses on data sharing and compensation.

Cybersecurity

Cybersecurity is crucial for fintechs, which must meet sector-specific requirements (eg, payments, investments, insurance), including robust ICT security measures. From 2025, almost all financial service providers must adhere to DORA’s strict ICT security rules, such as risk management, ICT incident classification and third-party ICT risk monitoring.

Finally, the NIS2 Directive (Directive 2022/2555), which repeals the NIS Directive (Directive 2016/1148) as of October 2024, is also important for some larger companies in the financial sector who provide essential services in the field of cybersecurity (ie, ensuring the proper functioning of the market) as they are subject to specific obligations (eg, vulnerability detection or incident reporting).

Social Media Content

Fintech companies must comply with copyright, advertising laws and regulations like the Digital Services Act (the “DSA”) (Regulation 2022/2065) and the DMA. While the DSA regulates intermediaries offering services such as online marketplaces, cloud services or social media platforms, and its key objective is to prevent illegal and harmful activities online, the DMA sets out rules to prevent unfair practices by large online platforms (the so-called “gatekeepers”) that are deemed to be too important to be left unregulated.

The AI Act

Another very important piece of legislation for fintech companies is the AI Act (Regulation 2024/1689), which entered into force in August 2024 and will come into force in phases between 2025 and 2027. The AI Act establishes obligations for various persons such as providers, product manufactures, importers, distributors or users (ie, persons who deploy AI systems in the course of their profession) of AI systems with a link to the EU market. The scope of the obligation is risk-based. While excessive risk AI systems are prohibited (eg, social scoring), AI models which do not pose any systemic risk are subject to certain transparency and other general obligations.

Consumer Protection Legislation

Local consumer protection legislation, such as the Consumer Credit Act or the Civil Code, which implement various EU directives, are also relevant for industry players that target consumers.

Entities with large-scale operations or regulated activities must have their financial statements reviewed by a qualified external auditor. Regulated entities like banks, payment institutions, and investment firms are also required to establish compliance, internal risk control and internal audit functions. Some regulated entities are even obliged to subject some of their activities to specific external audits, like customer asset protection measures.

In addition to regulators and auditors, various authorities, such as tax authorities, the Financial Arbitrator, the Personal Data Protection Office etc, can review industry participants’ activities throughout their life cycle. Entities within certain professional organisations may also be subject to supervision and sanctions by these bodies.

Industry participants can offer both regulated and unregulated products, but the scope and conditions vary depending on the status of the entity.

In some cases (eg, payment institutions or investment firms), approval from the CNB is required. The CNB may impose certain conditions or even require that these additional activities are performed via a separate entity if these activities hinder effective supervision.

As mentioned in 2.9 Gatekeeper Liability, most activities by fintech companies in the Czech Republic, whether regulated or unregulated, are subject to AML/CFT legislation. This broad application stems from the Czech Republic’s gold-plating of the fifth AML Directive, bringing all virtual asset service providers (VASPs) under its scope since 2021.

Entities subject to the AML/CFT rules must comply with national and international sanctions legislation, including a 2023 national sanctions list alongside EU and FATF lists. Obligations include verifying clients and beneficial owners against these lists and reporting suspicious transactions.

Additionally, the revised EU Transfer of Funds Regulation (the “TFR”) requires payment service providers and crypto-asset service providers (CASPs) to:

• ensure transparency in transfers by including payer and payee information;
• have internal procedures for detecting suspicious transactions; and
• implement restrictive measures.

AML/CFT and sanctions legislation in the Czech Republic generally follows the FATF standards, as it largely stems from EU legislation, which ensures FATF standards are applied uniformly across the EU.

Additionally, the main AML/CFT supervisory authority in the Czech Republic, the FAO, incorporates these standards into its opinions, guidance and supporting documents.

In the Czech Republic, there are two potential reverse solicitation regimes. The first is the general reverse solicitation regime which may be applied to every type of service (regulated and unregulated). This reverse solicitation regime arises from the CNB’s interpretation of general EU case law (not related to the financial sector) and it is therefore sometimes considered accepted market practice reverse solicitation.

Accepted Market Practice Reverse Solicitation

Under accepted market practice reverse solicitation, no licensing requirement will be triggered where the client is located outside of the jurisdiction and the activities take place outside of the jurisdiction.

In general, what is relevant is the place where the characteristic performance (which follows the standard EU doctrine) of the relevant licensable activity is provided, ie, the place where the client receives contractual performance for which payment is due. Where a relevant licensable activity is provided in the simultaneous physical presence of two contracting parties or their representatives (ie, the relevant provider and the client are located in the Czech Republic), it is provided in that location (ie, the Czech Republic).

The relevant licensable activities are deemed to be provided outside the Czech Republic, if:

• the performance is provided at a distance, but the beneficiary of the relevant licensable activity actively sought out the foreign provider in the other country (the activity is provided at the own exclusive initiative of a person established in the jurisdiction who initiated the contact with no solicitation carried out by the relevant provider); or
• the contract was entered into in the other country, and it must have been clear to the client that Czech Republic law would not apply (the legal regime of the contract is irrelevant).

In the case of a relevant licensable activity provided at a distance, the activity is provided where it is “offered in a targeted manner” (ie, active marketing targeted at Czech Republic clients has been applied) and where it can simultaneously be used. This is an exception from the reverse solicitation regime mentioned above. It means that the reverse solicitation regime will not apply if the relevant licensable activity was marketed in any way in the Czech Republic. Furthermore, negotiation of the terms of a transaction/signing documentation in the Czech Republic will also prevent the application of the reverse solicitation regime.

Investment Services Specific Reverse Solicitation

On the other hand, there is a reverse solicitation regime that explicitly arises from the provisions of relevant regulation (such as MiFID II). It therefore does not apply to all services, but only in relation to investment services and marketing of investment funds.

Under the investment services specific reverse solicitation regime, where an entity established outside the Czech Republic (offshore) provides services at the own exclusive initiative of a person established in the jurisdiction, the services should not be deemed as provided in the jurisdiction, provided that the client’s approach is unsolicited (ie, there has been no marketing targeted at the market in the Czech Republic). The following conditions must be satisfied.

• The response must be limited to the licensable activities covered by the request.
• Each transaction must be preceded by an unsolicited request.
• The relevant services/products must be offered and provided from offshore (on a reach-in basis, ie, interacting with the client from outside the jurisdiction, and fly-in basis, ie, where an employee of the offshore entity has flown into the jurisdiction and interacts with the client while in the jurisdiction).
• No contract must be signed by the offshore non-licensed entity in the Czech Republic (however, the client may sign in the jurisdiction before the offshore non-licensed entity signs from outside the jurisdiction).
• A third-party referral will not qualify as an unsolicited request.
• It is recommended that detailed records of any unsolicited requests be retained.

Based on the ESMA Q&A on MiFID II, at the course of a service that constitutes an ongoing relationship, transactions of services within the scope of the unsolicited request can be provided.

The concept of “own exclusive initiative” under MiFID has been implemented into local law but has not been defined locally. However, we believe that the CNB is likely to follow the ESMA’s guidance on the interpretation of “own exclusive initiative” in its Q&A on MiFID II.

We also believe that where all aspects of the relationship with the client take place on a cross-border basis (eg, any marketing materials are sent from offshore), this further demonstrates that the services are not undertaken in the jurisdiction where reverse solicitation is being relied on.

Although the provision of robo-advisory services in relation to some asset classes does not constitute a licensable activity (eg, certain crypto-assets that are not “financial instruments” or loans), robo-advisory activities are normally provided in relation to asset classes such as shares, bonds or units in collective investment undertakings (eg, ETFs) which qualify as “financial instruments” and are regulated under the CMBA.

The provision of robo-advisory activities in relation to “financial instruments” often constitutes provision of investment services relating to “financial instruments” (usually investment advice and/or portfolio management), which are licensable activities under the CMBA. For the provision of portfolio management services an authorisation as an investment firm is required, unless an exemption applies, while for the provision of investment advice a light-touch licensing regime of the so-called investment intermediary can be availed. Alternatively, a licence obtained under other sectoral legislation (eg, banking or investment funds) may be leveraged to provide robo-advisory services constituting investment services, provided that the investment services are covered by the respective licence.

Only a few legacy players in the Czech Republic have implemented solutions introduced by robo-advisors. One of the largest banks, Československá obchodní banka (ČSOB), was among the first to offer a robo-advisory service to help clients build investment portfolios. Other traditional players have integrated robo-advisory solutions through start-ups within their business groups or by acquiring third-party robo-advisors. However, the robo-advisory market in the Czech Republic remains small.

The application of the best execution obligation to robo-advisers depends on whether they provide a regulated investment service and their role in executing client orders. When the robo-advisory activities involve services like execution of orders on behalf of clients, reception and transmission of orders, or portfolio management, the entity is subject to the best execution obligation, just like entities using human advisers. This means the robo-advisory firm must take all reasonable steps to ensure client orders are executed on the most favourable terms. The specific requirements depend on the type of investment service provided. Additionally, all investment firms must act in the best interest of their clients.

There are significant differences in the regulation of commercial lending (including to SMEs) and consumer lending in the Czech Republic. While commercial lending does not generally require a licence, consumer lending is highly regulated.

Regardless of the financed entity, both lending and loan intermediation are designated activities under AML/CTF legislation in the Czech Republic, subjecting lenders and intermediaries to its requirements.

Commercial Lending

Commercial lending in the Czech Republic is not subject to a special regulatory regime unless provided by banks or credit institutions. It is primarily regulated by the Civil Code. While parties to a loan contract can freely agree on terms, they cannot deviate from certain legal provisions that protect the “weaker party”.

Consumer Lending

Consumer lending activities, including credit provision and intermediation, require an appropriate licence. The Consumer Credit Act ensures a high level of consumer protection by setting rules on pre-contractual and ongoing information, contract form and credit checks. It requires disclosing information to help consumers compare different offers and make informed decisions. The Consumer Credit Act also grants consumers rights like early repayment and the right of withdrawal.

Crowdfunding

Lending-based crowdfunding services are regulated under the Crowdfunding Regulation, which requires providers to obtain a licence and grants investors rights, such as a pre-contractual reflection period to revoke an investment offer.

Underwriting processes vary based on the lender, borrower and type of credit.

AML/CFT Legislation

All financial entities, including professional lenders and loan intermediaries, must comply with the AML/CFT legislation of the Czech Republic. Therefore, obligations such as customer identification and due diligence and risk assessment of the business relationship apply in the underwriting process.

Consumer Lending

As mentioned in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, unlike commercial lending, consumer lending activities are highly regulated. A key obligation in underwriting is assessing the creditworthiness of a potential borrower using reliable information, which the consumer must provide (eg, financial situation).

Lenders typically also use external databases (eg, the Bank Customer Information Register) for this assessment, often relying on automated profiling and decision-making tools.

To manage banking risks, banks must also follow strict prudential rules on capital adequacy and exposure, based on Basel Committee recommendations and EU regulations.

Lenders use various sources of funds, such as deposits, capital from private investors, or peer-to-peer lending. Regulatory requirements differ based on the source of the funds. Deposit-taking requires a credit institution licence, while public offerings of shares or bonds are subject to prospectus requirements, unless exempt. Raising funds through crowdfunding platforms is governed by the Crowdfunding Regulation.

In contrast, sources like factoring often have lighter regulatory requirements, typically only requiring registration with the Czech Trade Office and compliance with AML/CFT legislation.

Loan syndication is primarily used by legacy players such as large banks to finance large projects, which are typically not closed online. In contrast, consumer and small business loans are generally not syndicated. When fintech platforms do syndicate loans, it is usually by transferring credit risk to third parties through sub-participation. Depending on the structure, this may be subject to investment funds or investment services regulation.

Payment processors can use existing payment rails or create new ones, but authorisation from the CNB is required to process payments, unless exempt.

In the Czech Republic, the only payment system that is covered by the PSA, which implements the Settlement Finality Directive (Directive 98/26/EC), is the Czech Express Real Time Interbank Gross Settlement System (CERTIS), which is the only interbank payment system that processes interbank payments in Czech crowns.

Cross-border payments and remittances constitute payment services. Therefore, they are primarily regulated by the PSA, which is to be substantially revised in the coming years with the forthcoming PSD3/PSR/FIDA framework.

The key focus of payment services regulation is to improve payment security and safety, enhance harmonisation across the EU member states and improve access to payment systems and financial data. In general, there is also a strong emphasis on the AML/CFT area, as reflected in the AML/CFT legislative package adopted last year, which aims to significantly harmonise and strengthen the AML/CFT rules across the EU, including by establishing a supranational AML/CFT authority.

Among other legislative acts that are especially relevant for cross-border payments is the Single Euro Payments Area (SEPA) Regulation (Regulation 260/2012) as it seeks to ensure that cross-border cashless euro payments across the EU as well as several non-EU countries can be made in a similar way to that of domestic payments.

Regulation (EU) 2021/1230 on cross-border payments in the EU establishes the principle that charges for cross-border euro payments are the same as for corresponding national payments within the EU. For card-based payments, Regulation (EU) 2015/751 is also relevant as it caps interchange fees for consumer debit and credit cards.

Finally, further regulation of cross-border payments is provided for in the revised TFR, which requires payment providers to accompany transfer of funds with relevant information, verify the accuracy of this information, if relevant, and ensure robust protection of personal data, including compliance with record retention requirements.

There are various marketplaces and trading platforms for different asset types (eg, “financial instruments” or crypto-assets) in the Czech Republic. The regulatory regime depends on the nature of the assets traded.

Exchanges for Financial Instruments

If the traded assets qualify as “financial instruments” under the CMBA (eg, bonds or shares), the trading platform is required to be authorised by the CNB to operate either a regulated market, a multilateral trading facility (MTF) or an organised trading facility (OTF). Regulated markets have the strictest requirements, with only two authorised entities in the Czech Republic: Burza cenných papírů Praha, a.s. and RM-SYSTÉM, česká burza cenných papírů a.s.

With the entry into force of DLT Pilot in 2023, a more flexible regime for tokenised “financial instruments” was introduced, allowing experimentation with issuance, trading and settlement. The central securities depository in the Czech Republic, Centrální depozitář cenných papírů, a.s., is the first to be authorised to operate a DLT securities settlement system under this regime.

Crowdfunding Platforms

Lending-based or investment-based crowdfunding platforms require authorisation under the Crowdfunding Regulation (see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities). However, this Regulation does not cover models that trade the assignment of receivables originally granted by the platform, or models where the platform grants loans on its own account and risk. These activities may fall under other relevant regulations, such as investment services or investment funds regulation.

Crypto-Asset Exchanges

The provision of services related to non-financial instrument crypto-assets, including operating a crypto-asset trading platform, now requires a licence under MiCA. The complexity of requirements varies, with the strictest imposed on platform operators.

MiCA became fully effective at the end of 2024, and there is currently a transition period until 1 July 2026 in the Czech Republic. However, only companies that:

• were registered as a VASP in the Czech Republic prior to 30 December 2024; and
• have applied for authorisation as a CASP pursuant to MiCA by 31 July 2025 can continue providing crypto-asset services during the transitional period.

Entities that do not meet the above requirements may only operate a crypto-asset exchange after obtaining a MiCA licence.

Different regulatory regimes apply to asset classes based on their nature, complexity and risks. Platforms trading “financial instruments” or most crypto-assets must be authorised under the relevant regime (the CMBA, DLT Pilot or MiCA). Platforms trading other assets, such as certain NFTs, may only be subject to the notification regime.

For “financial instruments”, there are also differences depending on the category (eg, bonds, emission allowances, structured finance products and derivatives can only be traded on OTFs). Additionally, trading contracts for difference (CFDs) for retail clients was restricted by the CNB in 2019.

The emergence of cryptocurrency exchanges and the significance of the crypto sector has significantly influenced regulation, leading to the adoption of new or revised regulations.

AML

Due to the rapid growth of crypto-assets, the Czech Republic gold-plated some provisions of the fifth AML Directive. As a result, all VASPs have been subject to AML/CFT legislation in the Czech Republic since 2021. The regulatory regime for VASPs is expected to shift in 2025 from a notification procedure to an authorisation procedure.

MiCA and DLT Pilot Regime

The most important regulatory change lies in MiCA, which has been effective since 30 December 2024. It regulates the public offering and provision of services related to most crypto-assets (excluding “financial instruments” and other regulated asset classes like deposits). For trading and settlement of crypto-assets qualifying as “financial instruments”, the DLT Pilot introduced a dedicated regulatory regime.

As a result, anyone wishing to operate a crypto-asset exchange or trading platform must obtain the appropriate authorisation (see 6.1 Permissible Trading Platforms).

Decentralised Exchanges

Crypto-exchanges operating fully decentralised and disintermediated are exempt from MiCA. However, most existing platforms are unlikely to qualify for this exemption, as they involve some centralisation (eg, earning trading fees through a person or entity facilitating the trading). The European Commission will assess DeFi and the regulation of decentralised crypto-asset systems over the next four years, potentially leading to dedicated regulation for these systems.

Listing standards vary by trading system and asset type. Listing on unregulated exchanges, like decentralised crypto-asset exchanges, has no specific regulatory framework, while listing “financial instruments” under the CMBA or crypto-assets under MiCA is highly regulated.

The CMBA

The CMBA requires trading venue operators to have transparent rules for trading, admission of “financial instruments” and access to the trading venue. Admission criteria, order execution and trading rules must be objective, ensuring fair and orderly trading.

In addition to the CMBA rules, each operator establishes its own listing rules, typically published on their website (eg, Rules and Regulations of the Prague Stock Exchange that are available here). Trading in MTFs and OTFs is generally subject to less onerous requirements than on regulated markets.

MiCA

Like the CMBA trading venue operators, crypto-asset platform operators under MiCA must have transparent rules ensuring fair access, admission of crypto-assets and orderly trading and efficient execution and settlement of trades. Platforms cannot admit crypto-assets without a white paper or those with an anonymisation function. Operators must ensure crypto-assets comply with their rules before admission to trading.

Entities executing orders for “financial instruments” or crypto-assets under MiCA on behalf of their clients must follow order handling rules in the CMBA or MiCA respectively.

The CMBA

In general, entities that execute orders for “financial instruments” must have procedures and arrangements in place to ensure the prompt, fair and expeditious execution of clients’ orders. Orders will be executed in the order in which they are received unless an exemption applies. If any material difficulty arises which is relevant for the proper prompt execution of orders, the retail client must be informed. In addition, in the absence of any specific client instruction, entities executing clients’ orders must take all reasonable steps to achieve the best possible result for their clients. The firm‘s order’s execution policy must specify how the best possible result will be achieved when executing client orders.

The CMBA also includes specific order handling rules for regulated markets, MTFs and OTFs.

MiCA

MiCA’s order handling and trade execution rules are largely modelled on MiFID II and are similar to the CMBA rules. Crypto-asset service providers must prioritise achieving the best result for clients when executing orders, with a best execution policy required. Operators of crypto-asset platforms also follow specific rules for order handling and execution. Entities not regulated by the CMBA or MiCA are not subject to specific order handling regulations.

Although peer-to-peer trading platforms are not widespread in the financial market in the Czech Republic, they have grown, particularly in lending and crypto-assets, with fintech companies leading the way. The rise of these platforms in crypto-assets contributed to the introduction of the DLT Pilot.

A key regulatory challenge could be aligning the regime of these platforms with payment services, as their activities often involve transferring funds on behalf of clients. Although a licence under the PSA is required to transfer funds, this is not always the case.

Investment Services

Following the MiFID II/MiFIR revision which came into force in March 2024, investment firms are prohibited from receiving payments or benefiting from executing client orders on a particular execution venue or forwarding client orders to a third party for execution on a particular execution venue. This prohibition does not apply to rebates and discounts on transaction fees, provided they benefit the client and are part of the approved public tariff structure.

Although there is a grandfathering period that allows member states that already allow payments for order flows to exempt investment firms which serve clients in that member state and carried out the activity before 28 March 2024 from the prohibition until 30 June 2026, Germany is the only member state that has made use of this discretion. However, these payments must still comply with inducement requirements.

This prohibition is expected to enhance market quality by improving execution for retail investors and increasing pre-trade transparency on execution platforms for retail orders.       

Crypto-Asset Services

Like under the revised investment services framework, crypto-asset service providers under MiCA are prohibited from receiving any monetary or non-monetary benefits for routing client orders to any particular trading platform for crypto-assets or any other crypto-asset service providers.

Market integrity and market abuse principles are outlined in MAR and complemented by MAD (Directive 2014/57/EU) and delegating and implementing acts, while MiCA and Commission delegated regulation directly addresses crypto-assets.

The objective is to ensure EU financial market integrity and investor protection, prohibiting unlawful behaviour. Three types of market abuse practices are banned: insider dealing, unlawful disclosure of inside information and market manipulation.

MAR and MiCA contain provisions to prevent and detect these practices, such as systems to report suspicious orders and transactions or disclosure obligations.

MAR applies to “financial instruments” traded on regulated markets, MTFs, and OTFs, as well as products like CFDs. MiCA covers crypto-assets admitted to trading or seeking admission. Violations of market integrity rules may lead to administrative or criminal sanctions.

The creation and use of high-frequency (HFT) and algorithmic trading (AT) is regulated under the CMBA. The regulation therefore only applies to HFT and AT in relation to “financial instruments”.

In principle, a person only trading for their own account (and not executing customer orders) using AT does not need an authorisation, unless HFT is applied. For HFT, an authorisation from the CNB is always required.

Investment firms and regulated entities using AT and HFT must have effective systems and risk controls to ensure market resilience and prevent abuse. Business continuity arrangements, system testing and monitoring are required. HFT is also subject to other specific requirements (eg, record-keeping or incorporation of a “kill switch”). Use of these technologies requires notification to the competent authorities.

A person engaged in AT trading for their own account does not need to be authorised as a market maker unless they are using a market-making strategy. This involves, inter alia, posting a firm, simultaneous bid and offer prices of comparable size and at competitive prices relating to one or more “financial instruments” on one or more trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

In this case, authorisation under the CMBA is required. Specific rules, such as carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours and entering into a binding written agreement with the trading venue, apply.

Unlike dealers, investment funds are only subject to the applicable AT and HFT legislation if they are members or participants of regulated markets and MTFs. The main difference between an investment fund and a dealer is that a fund manager makes collective investment decisions for multiple investors according to a common strategy of the fund, whereas a dealer typically invests according to individual customer circumstances.

Programmers who develop and create trading algorithms and other electronic trading tools are not subject to any specific regulation in the Czech Republic, unless they also engage in a regulated activity (eg, HFT).

The underwriting process for insurtech companies in the Czech Republic follows the same regulations as traditional insurance companies. Insurtechs typically function as independent intermediaries or tied agents. The former requires a CNB licence, while the latter only needs registration.

Insurtech companies, regardless of their structure, must adhere to the rules set out in the Insurance Act, including acting in the customer’s best interest and fulfilling information obligations before and during the contract. Furthermore, for online underwriting processes, commonly used by insurtechs, where the insured person is a consumer, the consumer protection provisions containing specific information obligations apply.

In the Czech Republic, life and non-life insurance products face different regulatory requirements, with the strictest rules applying to investment-based products (eg, pre-contractual obligations, appropriateness tests, conflict of interest rules, and remuneration policies).

The life and non-life insurance markets are largely dominated by major insurers like Kooperativa (part of Vienna Insurance Group) and Generali Česká pojišťovna, who together hold about half of the market share. However, the insurtech segment is a key player in the growing fintech market in the Czech Republic, focusing mainly on non-life insurance products, such as sports equipment or property insurance products.

Regtech providers in the Czech Republic are not specifically regulated but may fall under existing regulations depending on their activities. Since they primarily offer technical solutions to help regulated entities meet legal obligations rather than providing financial services, they do not typically fall under specific financial regulations.

However, they must comply with data protection laws like the GDPR and may also be subject to the new AI Act or electronic identification and trust services regulation. In these cases, they must adhere to relevant regulations and obtain necessary authorisations if required.

If a regulated entity outsources functions to a regtech provider that it would typically perform itself, it must comply with outsourcing regulations and soft law requirements (see 2.8 Outsourcing of Regulated Functions), unless the activity has no impact on the entity’s obligations. The applicable requirements depend on the type of regulated entity and the outsourced function, including whether the function is critical or important.

While the Czech Republic has been active in the blockchain field, most of the innovation has come from fintech companies, with traditional players remaining cautious about adopting blockchain. A notable Czech blockchain project is ElA, which unites private entities like IBM and government institutions such as the Ministry of Industry and Trade. ElA’s blockchain platform serves as a trusted space for document and transaction registration, as well as for digital property registration.

The Blockchain Notarius app is used to verify document authenticity, such as business contracts and certificates. The latest development, the National Blockchain Registry (the “NABRE”), allows real-time verification of information, events, and data authenticity. The NABRE includes features like digital proxies to counter deep fakes and a per rollam voting application for online meetings.

With the introduction of MiCA, traditional players are expected to show more interest in blockchain, as it provides clearer rules for crypto-activities and greater legal certainty, alongside simplified entry conditions.

Most financial market regulation, including for innovative technologies like blockchain, comes from the EU, limiting the legislative powers of regulators in the Czech Republic. However, in response to MiCA and the perceived high risk of the crypto-asset sector, new legislation has been proposed to strengthen oversight of persons providing crypto-asset-related services as a business not covered by MiCA. These providers will need to undergo an authorisation procedure with the FAO, rather than a notification procedure with the Trade Office. To obtain authorisation, providers must meet conditions such as demonstrating reliability, being debt-free, providing a CZK250,000 security, and submitting a business plan. This regime is expected to take effect in the first half of 2025.

Local regulators mainly issue opinions to clarify existing legislation, such as when authorisation from the CNB is needed for certain crypto-asset activities, or issue warnings about unauthorised companies in the sector. As the CNB will assess and grant MiCA authorisations, it has held seminars over the last year to outline its expectations and requirements.

Although the terms used in this context vary (eg, crypto-assets v virtual assets), the classification of blockchain assets is already relatively well established. This is due to the adoption of the substance over form approach, whereby the features of the crypto-asset determine the classification and the related regulatory regime of the asset, rather than its designation by the issuer.

With MiCA in place, the following categorisation could be considered the primary way of classifying blockchain assets:

• crypto-assets within the scope of MiCA, and
• crypto-assets outside the scope of MiCA.

As regards the first category, MiCA further distinguishes between asset-referenced tokens, e-money tokens and other crypto-assets. In the second category comprising of crypto-assets outside the scope of MiCA, there are various types of assets, the most relevant being crypto-assets that are “financial instruments”, deposits or funds. Depending on the nature of the crypto-asset, the respective regulatory framework applies.

One of the main problems in crypto-assets classification is the different implementation of the term “financial instrument” in the national legislation of EU member states. To address this issue, guidelines on the conditions and criteria for the qualification of crypto-assets as “financial instruments” have been issued by the ESMA. The extent to which national authorities follow these guidelines in practice will therefore be important for a more uniform classification of crypto-assets across the EU.

As described in 10.3 Classification of Blockchain Assets, the regulation of “issuers” as well as initial sales of blockchain assets depends on the legal classification of blockchain assets.

If the blockchain assets qualify as a crypto-asset under MiCA, the obligations set out in MiCA apply. The applicable rules for public offerings of crypto-assets and their admission to trading varies depending on the category of crypto-asset, with stablecoins (asset-referenced tokens and e-money tokens) being the most strictly regulated. Only licensed entities such as credit institutions are able to offer stablecoins to the public, while other crypto-assets can be publicly offered without any licence, provided that certain transparency requirements are met. The key obligation is to draw up, notify to the competent authority and publish an information document called a white paper, which could be likened to a prospectus, unless an exemption applies (eg, an offer to fewer than 150 or solely to qualified investors).

On the other hand, if the blockchain assets qualify as “financial instruments”, the existing financial services legislation applies (eg, MiFID II, MAR or the Prospectus Regulation). The issuer of blockchain assets that qualify as transferable securities is required to prepare and publish a prospectus, which must be approved by the CNB prior to the public issuance of the assets, if no exemption applies.

In the case of blockchain assets that are electronic money but not e-money tokens within the meaning of MiCA, the PSA applies.

As described in 10.3 Classification of Blockchain Assets, the regulation of blockchain asset trading platforms, as well as the secondary market trading of blockchain assets, depends on the legal classification of the traded blockchain assets.

In the case of crypto-assets that fall within the scope of MiCA, trading platforms and intermediaries providing services related to these crypto-assets are subject to authorisation requirements under MiCA. The requirements for obtaining authorisation are quite similar to those for investment firms, including requirements for the good repute and expertise of the applicant’s management, prudential safeguards, risk management measures, including money laundering and terrorist financing risks, and adequate ICT systems in compliance with DORA. Only legal entities with their registered office in the EU can be granted a MiCA licence. The licensing obligation does not apply to fully decentralised peer-to-peer crypto-assets trading platforms as they are outside the scope of MiCA.

If blockchain assets qualify as “financial instruments”, the platform trading these assets must instead obtain an authorisation to operate either as a regulated market, a MTF or an OTF. Provision of investment services related to “financial instruments” such as reception and transmission of orders or execution of orders in relation to “financial instruments” is also subject to a licensing obligation.

Under the DLT Pilot, MTFs may apply for an authorisation to operate a DLT MTF and obtain temporary exemptions from certain existing requirements of EU financial services legislation to test innovative solutions based on DLT on capital markets. The DLT Pilot is only open to certain blockchain assets that qualify as “financial instruments” (in essence, only assets with low market value/capitalisation/issue size).

In addition, where the operation of the blockchain asset trading platform involves activities such as accepting fiat currency from buyers or transmitting fiat currency to sellers, an authorisation under the PSA for the provision of payment services may be required.

The provision of staking services related to crypto-assets is not regulated under MiCA. However, other regulations may apply, particularly AML/CFT legislation.

AML/CFT Legislation

As mentioned in 10.2 Local Regulators’ Approach to Blockchain, providers of crypto-asset-related services that are not covered by MiCA will soon be subject to an authorisation procedure before the FAO. Until then, the provision of these services is only subject to the notification procedure before the Trade Office. In addition, they are required to comply with other applicable obligations under the AML/CFT legislation such as customer due diligence or suspicious transaction reporting.

The AMCIF

For these purposes, the CNB has issued an opinion on the regulation of staking, clarifying the conditions under which crypto-assets may be collected from other persons for the purpose of staking them without the activity being subject to collective investment regulation under the AMCIF. By staking, the opinion means only so-called traditional or on-chain staking, where a holder locks or lends its crypto-assets to be used for the purposes of securing the proof-of-stake (PoS) blockchain network and transaction validation/block creation.

According to the CNB, the collection of crypto-assets for the purpose of on-chain staking will benefit from the exemption from the AMCIF for the collection of monetary valuables which have the provision of own non-financial services as their main purpose, provided that the on-chain staking is carried out by the entity collecting the crypto-assets. The AMCIF will therefore not apply.

Other Regulation

Although staking itself falls outside the scope of MiCA, staking-related services (eg, custody of crypto-assets used for staking or the private keys giving access to them by the staking provider) may be subject to MiCA, if the definition of any of them is met. In this case, authorisation as a CASP is required.

In addition, where crypto-assets are being collected for purposes other than on-chain staking, even if the collection is described as staking, it will be necessary to examine whether the conditions for the AMCIF application are met. In addition, staking could be subject to banking regulation if the person carrying out the staking finances its activities by accepting funds (ie, not crypto-assets, except for e-money tokens) with an obligation to return them to the depositor.

Finally, local consumer protection laws may apply if the services are provided to consumers.

As with staking, lending is not subject to MiCA. However, AML/CFT legislation will apply. Therefore, lending providers are obliged to obtain the relevant authorisation for their activities (currently only based on a notification to the Trade Office, soon to be based on the FAO authorisation procedure) and to comply with the relevant AML/CFT legislation. In addition, local consumer protection laws may apply, if consumers are targeted.

Offering crypto-asset derivatives that qualify as “financial instruments” under MiFID II to customers is subject to MiFID II/MiFIR and the related framework, including MAD/MAR. In addition, public offerings of crypto-asset derivatives may be subject to the Prospectus Regulation, if the derivative product constitutes a transferable security within the meaning of MiFID II, or MiCA, if it constitutes a crypto-asset subject.

The law in the Czech Republic neither defines nor specifically regulates DeFi. However, depending on factors such as the type and structuring of activities undertaken, including the associated degree of automation and decentralisation, and the type of crypto-assets used, different regulatory frameworks may apply to DeFi (eg, MiCA, AML/CFT legislation, investment services legislation such as the CMBA or the AMCIF, or consumer protection legislation). A case-by-case basis analysis must be carried out.

Although MiCA expressly excludes crypto-assets services provided in a fully decentralised manner without any intermediary from its scope, this is not the case for other financial services. In addition, both conditions, ie, full decentralisation and non-intermediation, must be met to be excluded from the scope of MiCA. The mere fact that the services are provided in a disintermediated manner is therefore unlikely to have any impact on the application of the relevant regulatory regime.

The activity of investment funds, including those investing in crypto-assets, is regulated under the AMCIF in the Czech Republic.

The CNB has issued an opinion on the possibility for investment funds to invest in crypto-assets. The opinion only discusses crypto-assets that do not qualify as “financial instruments”. The standard rules governing investments in “financial instruments” therefore apply otherwise.

According to the CNB position, only investment funds for qualified investors may invest in crypto-assets as their investment policy is not regulated by the legislation. On the other hand, funds that are offered to retail investors; ie, standard (UCITS) or special investment funds (AIF), cannot invest in crypto-assets due to the limited scope of permissible assets they can acquire.

See 10.3 Classification of Blockchain Assets.

There is no specific regulation regarding non-fungible tokens (NFTs) and NFT platforms in the Czech Republic. This is mainly because NFTs have a great variety of characteristics and purposes that may require different levels of regulation. However, depending on the characteristics of the NFT, including its purpose and the rights and assets it represents, it may fall within the scope of existing financial services regulation.

This can be demonstrated using the practical example of the AML/CFT legislation in the Czech Republic, which excludes crypto-assets that are unique, not fungible with other crypto-assets and cannot be used for payment or investment purposes from its scope. On the other hand, unique and not fungible crypto-assets used for making payments or investment will be covered therein. It is quite similar in the case of MiCA, which excludes crypto-assets that are unique and not fungible with other crypto-assets from its scope, but at the same time lays down quite detailed criteria for determining when they are indeed NFTs (see Recitals 10 and 11 and Guideline 8 of the ESMA Guidelines on the conditions and criteria for the qualification of crypto-assets as “financial instruments”).

Therefore, a case-by-case analysis is necessary to determine whether NFTs and NFT platforms fall under the scope of any regulation.       

As a result of the transposition of PSD2 into Czech Republic law, credit institutions are required to allow authorised third parties to access their customers’ payment data via a secure application programming interface (API). This has opened the EU payment market to innovative payment services providers relying on access to payment accounts (payment initiation services and account information services), allowing for more competition.

However, as open banking remains limited in the Czech Republic and in the EU in general, legislative changes will be introduced under the forthcoming PSD3/PSR/FIDA framework to, inter alia, strengthen open banking and open finance more generally.

Since open banking relies on sharing customers’ personal data, it poses various data protection and security risks, including data hacking or cyber-attacks on APIs.

For this reason, credit institutions and other payment service providers are both subject to strict technical security and data protection requirements imposed by PSD2 and the GDPR. For example, the processing of personal data under PSD2 requires explicit customer consent. In addition, credit institutions and payment service providers must now comply with DORA requirements regarding the security of their ICT systems and contractual arrangements with ICT third-party service providers, including providers of payment processing activities or operating payment infrastructures. Compliance with strict DORA requirements such as effective ICT risk management and advanced ICT testing should help them cope with any privacy and security concerns and ensure their technological safety.

Although the number of attacks on banks and their clients is still growing, according to data from the Czech Banking Association (the “CBA”), banks are increasingly succeeding in detecting fraud before the actual outflow of money occurs, and at the same time, as a result of improving defence mechanisms, the average damage is also decreasing.

The most commonly used forms of fraud in the Czech Republic are phishing, smishing via SMS messages or emails that are supposed to look like legitimate communications from the respective institution/authority and vishing via fraudulent phone calls. In the case of phishing, the victims click through to fraudulent websites, where they most often enter their log-in details, thereby revealing them to the fraudsters, who then carry out fraudulent transactions themselves.

In the event of vishing, the caller impersonates, for example, a police officer or a bank employee, and manipulates the victim into taking actions that enable the fraud to be carried out (eg, disclosing data or installing a spying application). In this type of case, the number may mimic the number of the calling institution/authority (so-called “spoofing”).

The sole purpose of these scams is to obtain sensitive data and misuse it. Fraudsters’ practices are becoming more sophisticated as they use new manipulative techniques to target victims and continually innovate their forms of attack. At the same time, victims provide unwitting co-operation (eg, through online activity that leaves a digital trail which fraudsters can use to target their attack better), making attacks easier.

The regulator’s focus is generally on online fraud, in particular payment fraud (eg, fraud mentioned in 12.1 Elements of Fraud) and investment fraud (eg, fraudulent investment offers promising high returns).

Due to their repetitive nature, the CNB often warns of fraud through fraudulent messages, emails and phone calls, including calls where the attackers impersonate employees of the CNB. However, given the rise of strong customer identification impersonation scams, the CNB has recently focused on this type of fraud as well.

As well as online posts with descriptions of fraudulent schemes and practical advice on how to defend against them, the CNB also regularly publishes warnings about entities providing regulated services without the appropriate authorisation.

The responsibility of fintech service providers for losses and the extent of this responsibility depends on the type of activity provided as well as on the circumstances of the case.

Financial services providers are generally liable for providing their services in line with the applicable regulation. Financial service providers are therefore liable to customers for damages caused by a breach of any of their regulatory obligations. In addition, some legislation contains specific liability provisions, such as in the case of payment services or custody services under MiCA.

Payment service providers are generally liable for unauthorised payment transactions and for non-execution, defective or late execution of payment transactions, unless an exemption applies (eg, in case of abnormal and unforeseeable circumstances or the payer’s fraudulent behaviour). The payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.

As regards the custody services related to crypto-asset subject to MiCA, MiCA includes specific provisions on the liability of CASPs providing this service. They will be liable for any loss resulting from an incident that is attributable to them.

In addition, the general civil liability rules may apply (eg, when offering crypto-assets or “financial instruments” to the public).