The Past 12 Months

Czech fintech has established itself as a strategic segment of the economy. The industry’s gross value added stands at nearly EUR480 million, it contributes EUR144 million to public budgets annually and employs over 6,000 people across 200-plus companies.

Relative to Western Europe, however, the sector remains modest in scale. Limited access to growth financing remains a structural weakness.

A positive development for the future of Czech fintech is the CzechInvest Fintech Regulatory Sandbox, a government initiative for systematic financial innovation support, entering its operational phase.

Digital assets

The Czech National Bank (CNB) has received one of the highest volumes of crypto-asset service provider licence applications in the EU, confirming Czechia’s position as a regional leader in digital assets.

Czechia has accumulated hands-on experience with digital assets through two landmark events. In what became known as the “Bitcoin Affair”, a convicted criminal voluntarily surrendered bitcoins, the proceeds of illicit activity, to the Czech state (Ministry of Justice), which subsequently moved to auction them off. When the story became public, it triggered significant legal and regulatory scrutiny, with legitimate new bitcoin-holders left uncertain about what they could lawfully do with the flagged assets. Adding to this, the CNB made history as the first central bank to publicly purchase crypto-assets.

Artificial intelligence

AI was the dominant trend of the past 12 months, becoming the leading investment priority across the sector and the most active area in start-up formation.

The Next 12 Months

AI will likely continue to dominate, with AI agents and autonomous systems moving into live deployment. This will influence mainly new business models such as regtech and robo-advisers. 

Clear crypto-asset regulation may attract foreign crypto-firms as well as legacy players. Banks are actively exploring the convergence of traditional finance and digital assets, though progress is expected to be slow.

Fintech activity in Czechia is most prevalent across the following verticals:

• crypto-assets – exchanges, OTC dealers, peer-to-peer solutions, stablecoins and tokenisation initiatives, with currently only a few service providers holding a licence in Czechia to operate as a crypto-asset service provider;
• payment services – QR-based payment mechanisms and payment gateways;
• personal finance – buy-now-pay-later, retail investing and robo-advisory platforms;
• accounting and bookkeeping – AI-driven automation tools; and
• crowdfunding – platforms matching retail lenders and investors with borrowers and businesses, with only a few companies currently licensed to operate a crowdfunding platform.

The fintech space is predominantly driven by start-ups, but with clear crypto-asset regulation in place, traditional players are increasingly exploring crypto-asset and tokenisation opportunities.

The regulatory regime depends on the activities performed.

• Crypto-assets: Most crypto-asset service providers are regulated under the EU Markets in Crypto-Assets Regulation (MiCA) and require a licence from the CNB. Those falling outside MiCA’s scope remain subject to the Czech AML Act and may require registration with the Financial Analytical Unit (FAU).

• Payment services and e-money: Payment institutions and e-money institutions are regulated under the Czech Payment Services Act and require a CNB licence. This framework is expected to be substantially revised according to new EU rules on payments, with application anticipated from 2027 onwards.
• Investment services: Investment firms and intermediaries require a licence from the CNB and are regulated under the Czech Capital Market Undertakings Act (CMUA), aligning Czech legislation with EU Markets in Financial Instruments Directive II (MiFID II) Regulation. In addition, the Markets in Financial Instruments Regulation (EU) governs trading obligations and market transparency, the EU Prospectus Regulation applies to public offers of securities, and the EU Market Abuse Regulation sets out market abuse prevention rules.
• Crowdfunding and P2P lending: These platforms are regulated under the EU Crowdfunding Regulation, requiring a CNB licence. Depending on the business model, the Czech Payment Services Act may also apply.
• Consumer credit: Providers and intermediaries of consumer loans must comply with the Czech Consumer Credit Act and may require a CNB licence.
• AML: Entities qualifying as obliged persons under the AML Act must implement customer due diligence, transaction monitoring and suspicious activity reporting obligations. The adopted EU AML package will reshape the framework from 2027 onwards.
• DORA: The EU Digital Operational Resilience Act imposes requirements on financial institutions and their technology service providers to implement and maintain digital resilience.

Compensation models in fintech depend on the nature of the service provided.

For investment service providers, commissions are allowed only where the benefit enhances the quality of the service or is necessary for the provision of the service, and must not impair the firm’s duty to act in the client’s best interests. For portfolio management and independent investment advice, commissions are prohibited entirely, with the exception of minor non-monetary benefits.

Crypto-asset service providers are subject to conflict-of-interest rules and typically operate on a fee-based model charged to customers (trading fees, spreads). These providers are usually prohibited from receiving any benefit for routing client orders.

Payment service providers use a variety of pricing models, per-transaction fees charged to merchants being the most common.

Regulated entities must provide clients with pre-contractual disclosure in sufficient time to review, compare products and make an informed decision. Where automated systems are used, clients have the right to request human intervention. Disclosure obligations are stricter where the client is a consumer.

Czech legislation generally does not distinguish between fintech and legacy players.

However, legacy players benefit from certain advantages in some areas. Under MiCA, some legacy players who are already licensed do not need to obtain a separate licence to provide crypto-asset services or issue e-money tokens.

In early 2026, the CzechInvest Fintech Regulatory Sandbox entered its main operational phase, becoming the first comprehensive state initiative aimed at systematically supporting financial innovations.

At present, 21 projects have been selected for the programme, which is focused on testing new financial services, tools and unique solutions for the digital economy (such as payment services, accounting and investment and crowdfunding platforms). The sandbox is open primarily to SMEs developing technologies that require regulatory clarification or technological testing.

The timing for the next application round has not yet been announced.

The CNB serves as the primary regulator for licensed financial market participants, with jurisdiction over banks, payment institutions, e-money institutions, investment firms, insurance companies, crowdfunding platforms and the majority of crypto-asset service providers. The CNB issues licences, conducts ongoing supervision and may impose sanctions. Where an entity is already supervised by the CNB, the CNB also assumes AML supervisory responsibility.

The Office for Personal Data Protection has exclusive jurisdiction over compliance with the EU General Data Protection Regulation (GDPR).

The FAU supervises AML compliance for obliged persons not otherwise supervised by the CNB and issues registrations for crypto-asset service providers falling outside the scope of MiCA.

At the EU level, the European Supervisory Authorities exercise direct supervisory powers in specific areas, most notably over systemically important entities such as significant stablecoin issuers and critical technology providers serving financial institutions.

Regulators generally do not issue no-action letters.

The CNB, however, provides interpretative opinions and guidance notes on the regulatory qualification of specific activities, which offer a degree of regulatory certainty in practice.

Regulated functions may be outsourced, but the outsourcing entity remains fully responsible for all outsourced activities. Prior to outsourcing, the entity must conduct due diligence to assess whether the arrangement increases operational risk, and take all the necessary measures to mitigate such risk.

Where the outsourced activities involve technology services provided to a financial institution, the outsourcing contract must include mandatory provisions covering availability, data access and recovery rights, audit rights, incident management and business continuity obligations, and a duty to co-operate and provide assistance without additional charges.

Where personal data is processed by the provider, a GDPR-compliant data processing agreement is required, which must cover purpose limitation, appropriate technical and organisational security measures, breach notification obligations and mechanisms for the exercise of data subject rights.

Outsourcing to a regulated entity is not mandatory but is generally preferable, as regulated providers are already subject to supervisory oversight and tend to have established compliance frameworks.

Most fintech providers are treated as gatekeepers under AML rules. They are responsible for monitoring their clients’ transactions on an ongoing basis and reporting suspicious activity.

Additionally, entities qualifying as gatekeepers under the EU Digital Markets Act must comply with obligations around interoperability, data access and fair dealing. In practice, only large tech companies such as Amazon, Alphabet or Meta qualify.

When the CNB identifies breaches of regulatory duties, it may impose a range of enforcement measures, from ordering remediation of identified deficiencies to revoking a licence.

Notable recent enforcement actions include the following:

AML

The CNB imposed a CZK9.5 million fine on a bank for multiple AML breaches, including failure to properly assess client risk, inadequate employee training, and failure to prevent the establishment of business relationships with clients listed on international sanctions lists. In a separate case, the CNB fined a Czech bank CZK5 million for deficiencies in AML obligations, including insufficient client identification procedures and inadequate risk management processes related to international transactions.

Unauthorised Deposit-Taking

The CNB imposed significant fines on several entities for unlawfully accepting deposits and collecting funds from the public without holding a banking licence or other required authorisation. 

Privacy – GDPR

Fintech providers processing personal data are subject to the GDPR. Key obligations include data minimisation, lawful basis for processing, data subject rights and breach notification.

Cybersecurity – DORA and Cybersecurity Act

Financial entities must maintain risk management frameworks, report incidents, conduct resilience testing and monitor third-party technology providers.

Larger entities across key sectors such as energy, healthcare, banking and digital infrastructure are additionally required to implement measures to address cyber-threats and minimise their impact.

Artificial Intelligence – AI Act

Fintech providers using AI for purposes such as credit scoring or other high-risk applications must ensure the accuracy, reliability and transparency of their systems and maintain human oversight.

Digital Services – Digital Services Act and Digital Markets Act

Fintech platforms with marketplace or intermediary characteristics fall under the EU Digital Services Act, which imposes tiered transparency and content moderation obligations.

The EU Digital Markets Act is relevant only for the largest platforms and in practice does not affect Czech fintechs. Entities subject to this regulation must comply with obligations around interoperability, data access and fair dealing.

Cyber-Resilience

Fintechs that develop or distribute software products must ensure that their devices and software are designed, updated and maintained to protect users. Main obligations will apply from 2027.

Consumer Protection

Entities dealing with consumers must comply with consumer protection law, including disclosure obligations and the right of withdrawal within 14 days from online contracts. This applies broadly, including, for example, during an initial coin offering.

Companies face statutory external audits when legal size-thresholds are met (number of employees, annual turnover or value of assets).

All companies are required to publish their financial statements in the Commercial Register, making their accounts publicly accessible and subject to informal scrutiny by anyone.

Technology providers to financial institutions must be monitored by those institutions as part of their third-party risk management obligations.

Soft oversight is also exercised by industry bodies such as the Czech Fintech Association through codes of conduct and best practice guidance.

Fintech providers may combine regulated and unregulated products and services, but the extent depends on their licensing framework.

Investment firms may perform other business activities only after registering them with the CNB, provided such activities do not hinder the proper provision of investment services or effective supervisory oversight. The CNB may refuse such registration, limit its scope or impose conditions.

Payment institutions may perform other activities only if they do not pose a material threat to the financial stability of the payment institution or hinder effective supervisory oversight by the CNB.

AML rules apply broadly to Czech fintechs regardless of whether they operate as regulated financial institutions or as unregulated service providers.

Under current Czech AML rules, onboarding non-EU clients digitally without a physical presence is in practice very difficult. As a result, Czech fintechs seeking to serve non-EU customers tend to establish operations in another jurisdiction better suited to remote onboarding.

The EU AML package, applying mainly from 2027, will significantly reshape this framework and should embrace digital onboarding.

International sanctions are implemented in Czech law. Czechia is bound to implement EU sanctions regulations.

Czech AML rules broadly follow Financial Action Task Force (FATF) standards, as national legislation is built on EU AML frameworks, which are themselves designed to implement FATF recommendations. Czechia is largely compliant with most FATF recommendations.         

Czech law permits reverse solicitation under limited circumstances. The CNB treats reverse solicitation as a narrow exception, not a mechanism for systematic market access. It will scrutinise any prior marketing activity, as such activity will disqualify the exemption entirely.

Crypto-Asset Services

A third-country firm may provide crypto-asset services to clients in Czechia if initiated exclusively at the client’s own initiative. This does not entitle the firm to offer new categories of services or assets to that client. The exception does not apply where a third party solicits clients on behalf of the provider, or where services are marketed in Czechia.

Investment Services

Similar principles apply to investment services. However, foreign investment firms may provide certain investment services to Czech professional clients without triggering full authorisation requirements.

Investment Funds

A transaction does not constitute an offering of investments where the investor makes the decision to invest entirely on their own initiative.

The applicable regulatory framework for robo-advisers depends on the asset class in respect of which services are provided.

Where a robo-adviser provides investment services (eg, investment advice or portfolio management) in relation to financial instruments (eg, shares, bonds or security tokens), it is providing a regulated investment service under MiFID II, implemented in Czech law through the CMUA. A licence from the CNB is usually required, either as an investment firm or, under certain circumstances, as an investment intermediary.

Where services are provided in relation to crypto-assets regulated under MiCA that do not qualify as financial instruments, the CMUA licensing regime does not apply. However, providing investment advice or portfolio management in relation to such assets constitutes a regulated service under MiCA, for which CNB authorisation may be required.

Where a robo-adviser advises solely on physical commodities, no licence is required. However, commodity derivatives remain financial instruments and sectoral regimes may apply depending on the commodity.

The Czech robo-advisory market remains modest in scale. Traditional financial institutions are adopting automated solutions gradually, often through fintech partnerships rather than large-scale internal transformation. 

On the fintech side, Portu, originally a venture of investment bank WOOD & Company, has been offering robo-advisory services since 2018, through automated portfolio construction that is tailored to individual client profiles. Fondee and other fintech platforms operate on a similar model.

Where robo-advisers execute client orders in relation to financial instruments, the investment firm is subject to the best execution requirements and must take all the necessary steps to obtain the best possible result for the client, having regard to factors such as price, costs, speed and likelihood of execution.

Investment firms using robo-advisers are subject to an overarching duty to act in the client’s best interest when handling transactions. They must maintain and implement a robust order execution policy, monitor execution quality on an ongoing basis, and justify their choice of execution venues to demonstrate continuing compliance.

Similar obligations usually apply to crypto-asset service providers where robo-advisers execute orders in relation to crypto-assets.

Consumer lending is the most heavily regulated fintech segment, in which the lawmaker has imposed a comprehensive set of borrower protections (eg, mandatory disclosure obligations, an obligation to assess creditworthiness before granting credit, a 14-day right of withdrawal, and the right to repay early at any time with limited penalty).

Lending to businesses and professional counterparties is largely left to civil law.

Where lending is conducted through crowdfunding, the crowdfunding platform must hold a licence from the CNB.

Underwriting processes vary across lending types and are partially dictated by regulation.

In commercial lending, lenders conduct due diligence proportionate to the size of the loan. Standard checks include publicly available insolvency and enforcement registries and published accounting statements, supplemented by external databases where needed.

In consumer lending, lenders are required to assess the creditworthiness of the borrower before granting credit. In practice, banks rely on internal credit scoring models, income verification and checks against external databases and credit registries.

In crowdfunding, platforms are required to conduct a credit risk assessment and disclose the results to prospective investors.

The most common source of loan funding is deposits collected from the public. Only entities with a banking licence may collect deposits.

Lenders can also raise capital through equity or debt issuance and deploy the proceeds as loans. Public offerings generally require a prospectus approved by the CNB, unless exempted. Non-bank lenders using this model to provide consumer loans must also hold a consumer credit licence from the CNB.

Peer-to-peer platforms match lenders directly with borrowers online. Such platforms require a crowdfunding licence from the CNB.

Loan syndication occurs mainly in the corporate and real estate lending markets where a single loan is too large or too concentrated for one lender. Major arrangers are typically large commercial banks.

The borrower appoints one or more arrangers who structure the facility and commit to underwriting a portion of the amount. The arranger then markets the loan to a group of institutional lenders, each taking a portion of the total facility. The syndicate appoints a facility agent (to administer the loan) and a security agent (to hold security on behalf of the lenders).

No dedicated syndicated lending statute applies, but participant lenders must comply with applicable rules such as the large exposure limit, individual capital adequacy and AML obligations.

Payment processors may utilise existing payment rails or create new ones, provided they obtain the necessary authorisation from the CNB under the Czech Payment Services Act.

The central pillar of Czech payment infrastructure is CERTIS (the Czech Express Real Time Interbank Gross Settlement System), operated by the CNB, which processes interbank payments in Czech crowns in real time. Payment institutions and e-money institutions have been able to become participants in CERTIS since 2025, and use it to settle payment orders within the scope of their licence.

Cross-border payments in euros within the European Economic Area are subject to the EU SEPA Regulation, which establishes a single set of rules for cashless euro transfers.

The EU Regulation on Cross-Border Payments requires that fees for cross-border euro transactions do not exceed those for equivalent domestic payments. This principle was extended to instant euro transfers, which should not carry higher costs than standard transfers.

At the national level, the Czech Payment Services Act governs the provision of payment services, including cross-border transfers. This framework is expected to be substantially revised following the adoption of a new EU regulatory framework, which is anticipated to apply from 2027 onwards.

AML/CFT is the primary regulatory concern for cross-border payments. The adopted EU AML package will reshape the framework as of 2027 and will introduce a directly applicable single rulebook. A new EU-level supervisory authority, the Anti-Money Laundering Authority, will exercise direct supervisory powers over high-risk entities.

Payment service providers must transmit information about the payer and payee alongside every transfer under the EU Transfer of Funds Regulation. Equivalent obligations apply to crypto-asset service providers for crypto-asset transfers.

Trading platforms differ based on the assets traded.

Those which trade financial instruments are regulated under MiFID II and the CMUA, which recognises three types of trading venues:

• Regulated markets – the most stringently regulated, may only be operated by an organiser of a regulated market holding a CNB licence.
• Multilateral trading facilities – these have fewer rules on admitting instruments to trading and lighter disclosure obligations for issuers. They can be operated by an organiser of a regulated market, an investment firm or an equivalent EU entity.
• Organised trading facilities – these are restricted to trading bonds, structured finance products, emission allowances and derivatives. They require CNB authorisation.

A platform may seek authorisation under the EU DLT (Distributed Ledger Technology) Pilot Regime, which permits trading and settlement of tokenised securities and grants certain regulatory accommodations, such as direct retail investor access. The CNB has granted such authorisation to the Czech Central Securities Depository.

Crypto-assets regulated under MiCA can be traded on exchanges holding a crypto-asset service provider licence issued by the CNB.

Crypto-assets outside the scope of MiCA that are not financial instruments (eg, some non-fungible tokens) can be traded on platforms authorised by the FAU.

Different asset classes are subject to distinct regulatory regimes depending on their classification.

Financial Instruments and Security Tokens

Financial instruments and security tokens are regulated under the MiFID II/CMUA framework. Issuers face prospectus requirements, ongoing disclosure obligations and market abuse rules. Firms dealing in financial instruments must hold a licence from the CNB, unless exempt.

Crypto-Assets

Crypto-assets that do not qualify as financial instruments and fall within the MiCA taxonomy (asset-referenced tokens, e-money tokens and other crypto-assets) are regulated under MiCA. Issuers must publish a crypto-asset white paper and, for certain token types, obtain CNB authorisation.

Crypto-assets that do not fall under MiCA and are not financial instruments (eg, non-fungible tokens) fall outside the scope of both MiCA and MiFID II/CMUA. However, certain services relating to non-fungible tokens may still trigger obligations under the Czech AML Act.

The emergence of cryptocurrency exchanges prompted regulatory intervention at the EU level through MiCA, followed by the Czech Act on the Digitalisation of Financial Services.

Centralised exchanges operating in the EU must obtain a crypto-asset service provider licence (which in Czechia is granted by the CNB) and must comply with requirements covering governance, capital adequacy, custody of client assets, and integrity.

Czechia has gone a step further and retained a licensing regime under the AML Act for virtual asset service providers, including exchanges, that fall outside MiCA’s scope.

Security tokens that qualify as financial instruments must be traded on venues authorised under the MiFID II/CMUA framework, in the same manner as traditional financial instruments.

Decentralised exchanges may fall outside MiCA’s scope if they are fully decentralised and operate without any intermediary. In practice, it is questionable whether any exchange will genuinely satisfy this condition and the regulatory treatment of decentralised exchanges remains an evolving area.

Financial Instruments (MiFID II/CMUA)

Listing obligations for financial instruments are governed by MiFID II/CMUA and further defined by venue operators. Admission to a regulated market requires the issuer to publish an approved prospectus (unless exempted), to meet minimum market capitalisation thresholds and to comply with disclosure obligations. Multilateral and organised trading facilities operate under lighter admission requirements, with standards largely set by the operator.

Crypto-Assets

Cryptocurrency exchanges cannot admit a token to trading where a white paper is required but has not been published, or where the token incorporates anonymisation functions. Exchanges must assess whether tokens comply with the platform’s admission rules, evaluate their potential connection to fraudulent activity and assess the reliability of the project.

Decentralised Exchanges (DEXs)

On spot DEXs, any token can typically be listed without requiring extra permission and becomes tradeable automatically, subject to sufficient liquidity. On perpetual DEXs, listing decisions are generally made by the founding team or a governance vote. Whether such platforms are truly decentralised, and therefore outside MiCA’s scope, remains questionable in practice.

The rules for handling client orders are broadly similar for financial instruments and crypto-assets.

Investment firms and cryptocurrency exchanges must execute client orders on the best possible terms, taking into account in particular price, costs and speed of execution. Firms must establish and maintain a best execution policy and provide clients with appropriate information. Additional rules apply depending on the type of venue.

Crypto-assets that are neither financial instruments nor within MiCA’s scope (such as non-fungible tokens) are not subject to specific order handling rules.

True peer-to-peer trading platforms are mostly embodied in decentralised exchanges (DEXs), where participants can trade crypto-assets directly without any intermediary. In recent years this model has evolved further, with perpetual DEXs now enabling trading of real-world assets and synthetic instruments with high leverage through on-chain order books.

Some traditional and fintech players have begun developing their own DEX infrastructure. At the institutional level, the DLT Pilot Regime represents a significant attempt to bridge traditional finance and on-chain trading (see 6.1 Permissible Trading Platforms).

DEXs that are truly decentralised and operate without any identifiable intermediary fall outside MiCA’s scope. However, it remains unclear how many platforms satisfy such condition. This exemption does not extend to the trading of security tokens, which remain subject to the MiFID II/CMUA framework.

Beyond the question of the regulatory parameter, DEXs pose other significant challenges:

• AML compliance is difficult to enforce as there is no central entity responsible for implementing KYC procedures or monitoring transactions; and
• consumer protection is largely absent, which makes it easy for retail participants to incur significant financial harm.

Investment firms are prohibited from accepting any benefit in connection with the routing of client orders. Such benefits remain permissible only where the firms contribute to improving the quality of the service.

Crypto-asset service providers are prohibited from receiving any benefit for routing client orders under MiCA.

These rules effectively eliminate business models built on order flow monetisation in the EU. This may also result in costs being transferred to clients through increased commissions or fees.

Market abuse of both financial instruments and crypto-assets is regulated, through the EU Market Abuse Regulation and MiCA respectively. Both frameworks prohibit the following conduct:

• insider dealing – trading on the basis of precise, non-public information that would likely have a significant effect on the asset’s price if it were made public;
• market manipulation – conduct that gives false or misleading signals as to the supply, demand or price of an asset, or that secures prices at an abnormal or artificial level; and
• unlawful disclosure of inside information – communicating inside information to another person outside of the recognised exceptions.

Both frameworks impose positive obligations, such as mandatory disclosure of inside information by issuers and a requirement for persons arranging or executing transactions to have effective measures in place to prevent, detect and report market abuse.

Crypto-assets that fall outside MiCA’s scope and do not qualify as financial instruments are not subject to any specific market abuse regime.

Creation and usage of algorithmic and high-frequency trading in financial instruments are regulated primarily through the CMUA and through Delegated Regulation (EU) 2017/589.

For crypto-assets (that are not considered financial instruments) and commodities, there is no specific regulation addressing algorithmic trading.

Algorithmic Trading of Financial Instruments

In the context of algorithmic trading, investment firms and operators of regulated markets are subject to regulation. Other persons using an algorithmic trading system on their own account do not require a licence solely on this basis.

An investment firm engaged in algorithmic trading must in particular:

• implement effective systems and risk controls;
• fully test and continuously monitor its systems;
• have robust business continuity recovery plans in place;
• notify the competent authority and the relevant trading venue that it engages in algorithmic trading; and
• comply with reporting obligations to the CNB and maintain records to monitor compliance.

Organisers of regulated markets whose trading systems are used by algorithmic traders must implement effective systems to ensure that algorithmic systems cannot create trading conditions that disrupt orderly market functioning, and to deal with any such disruptive conditions if they do arise.

All persons engaging in high-frequency trading must hold a licence from the CNB.

A market maker under the CMUA is an entity that continuously participates in financial markets and trades on its own account by buying and selling financial instruments with its own capital at self-determined prices. The use of algorithmic trading alone does not automatically qualify as market making.

Any person employing algorithmic trading while acting as a market maker must hold a licence issued by the CNB.

Beyond the general obligations applicable to all investment firms, a market maker using algorithmic trading must, in particular, pursue its market-making activity continuously and enter into a written agreement with the trading venue operator specifying the obligations for providing liquidity and the associated remuneration.

Dealers must hold an investment firm licence and are therefore subject to the algorithmic trading obligations.

Funds themselves are subject to the algorithmic trading regime under the CMUA only if they are members of or participants in regulated markets or multilateral trading facilities.

The main difference between these models is that a dealer typically executes individual trades based on a client’s specific preferences or instructions. A fund manager, on the other hand, makes collective investment decisions on behalf of multiple pooled investors in accordance with a uniform fund strategy.

Programmers solely developing trading algorithms and other electronic trading tools are generally not subject to algorithmic trading regulatory frameworks.

Since investment firms are subject to regulatory requirements for system robustness, developers creating algorithms for such entities should design these systems in compliance with the applicable standards.

Czech insurtech providers often use automated decision engines that assess risk in real time at the point of sale, drawing on structured data inputs (eg, age, location, income) to generate instant pricing.

Insurtech providers are subject to the same regulatory framework as traditional insurers, and are thus required to act honestly, professionally and in the client’s best interests. Insurtech providers typically operate either as independent intermediaries, requiring CNB authorisation, or as tied agents, requiring only registration.

Where AI is used in underwriting or pricing, insurtech providers may qualify as providers or deployers of high-risk AI systems under the EU AI Act, triggering obligations relating to accuracy, reliability and transparency of functioning.

The Czech Insurtech Association’s planned regulatory sandbox may stimulate further innovation in this sector.

The Czech Insurance Act distinguishes between life and non-life insurance (eg, property, liability or travel). Licensing by the CNB is specific to these categories and insurers may only provide services that are permitted by their specific authorisation. Czech law generally does not allow insurers to operate life and non-life insurance simultaneously, except for limited combinations.

Capital requirements for insurers range from CZK70 million to CZK200 million for non-life insurers, and CZK105 million for life insurers. Where life and non-life activities are operated concurrently under the permitted exception, the statutory initial capital must equal the sum of the respective minimums for life and non-life insurance.

Non-life insurance products require the provision of a standardised Insurance Product Information Document at the point of sale. Investment-based products (ie, mostly life insurance) attract more extensive disclosure and conduct obligations, reflecting their long-term and savings-related nature.

Regtech providers are not regulated as a distinct category under Czech law. Whether a regtech provider becomes regulated depends on the nature of the activities it performs.

These are some of the frameworks that may apply:

• DORA – Where a regtech provider provides technology services to financial institutions, those institutions must include mandatory provisions in their contracts, such as audit rights and data security standards. Systemically important providers can be placed under EU supervisory oversight.
• GDPR – Where the regtech provider processes personal data, it must implement appropriate technical and organisational measures and comply with EU data protection rules.
• Czech AML Act – Where the regtech provider is involved in AML/KYC processes, it may itself become subject to AML obligations.
• EU AI Act – Where the regtech provider develops or deploys AI systems, it may trigger obligations around accuracy, transparency and human oversight.

Contractual terms imposed on technology providers are, in some cases, dictated by regulation depending on the nature of the services provided. Notable examples include:

GDPR

Where a technology provider processes personal data on behalf of another party, the parties must enter into a data processing agreement covering purpose limitation, appropriate technical and organisational security measures, breach notification obligations and mechanisms for the exercise of data subject rights.

DORA

Financial institutions must include mandatory provisions in contracts with technology providers, covering for example, availability, confidentiality of services, data access and recovery rights, incident management and business continuity obligations, and a duty to co-operate and provide assistance without additional charges.

It is common to negotiate service level agreements specifying uptime guarantees and resolution times.

Czechia is starting to embrace blockchain technology across its financial sector, with initiatives spanning a Czech-crown stablecoin and tokenisation platforms, and banks exploring ways to offer digital asset services to their clients while investing in blockchain start-ups.

The Central Securities Depository Prague, the main Czech depository, received the EU’s first authorisation to operate a DLT-based settlement system. This system enables the registration and transfer of some of the financial instruments on a blockchain.

The CNB has created a test portfolio of digital assets with a total acquisition value of USD1 million. The purpose of the portfolio is to gain practical experience in holding digital assets, testing the technical administration of private keys, crisis scenarios, security mechanisms and verifying AML compliance.

The CNB has received one of the highest numbers of applications for crypto-asset service providers licences in the EU, issuing six licences to date.

The CNB’s approach to blockchain is cautious yet open, as evidenced by its own cryptocurrency acquisitions and testing. It occasionally issues guidance on ambiguous issues, such as the regulatory treatment of staking. The primary source of regulatory direction is the EU, mostly through the European Securities and Markets Authority (ESMA).

Czechia has also addressed, in an amendment to the Czech AML Act, a new licensing procedure within the purview of the FAU for entities providing services related to virtual assets that fall outside the scope of MiCA.

MiCA distinguishes electronic money tokens (EMTs) that achieve a stable value by being pegged to a single official currency, asset-referenced tokens (ARTs) that achieve a stable value by being pegged to a specific asset or basket of assets, and crypto-assets that differ from EMTs and ARTs (a residual category that includes utility tokens).

Issuers of EMTs and ARTs must obtain prior authorisation from the CNB, which can be difficult to secure in practice. Issuers of other crypto-assets are not subject to the authorisation requirement but must notify the CNB and publish a white paper prior to issuance.

Where a blockchain asset meets the definition of a financial instrument under MiFID II, MiCA explicitly does not apply. Such assets (usually called security tokens) are regulated as traditional financial instruments.

Non-fungible tokens (NFTs) that are genuinely unique and do not qualify as financial instruments fall outside the scope of both MiCA and MiFID II. However, certain services relating to NFTs may trigger licensing obligations under the Czech AML Act.

The classification of crypto-assets (ie, mainly whether a crypto-asset qualifies as a financial instrument) remains open to discussion. While ESMA has provided guidance on this matter, each case needs to be determined individually.

Issuers of blockchain assets are regulated based on the classification of the asset they issue.

For crypto-assets under MiCA, the requirements vary by category. Issuers of ARTs must obtain authorisation from the CNB, unless they are a credit institution or fall within the de minimis category. Issuers of EMTs must be a credit institution or an e-money institution. Issuers of crypto-assets other than ARTs and EMTs do not require prior authorisation, but must publish a white paper and notify the CNB before issuance, unless exempted.

Security token issuers fall outside MiCA and are subject to the rules applicable to traditional financial instruments. A public offering of security tokens triggers obligations requiring a prospectus to be prepared, approved by the CNB and published prior to the offering.

While the tokenisation of real-world assets is gaining momentum, the resulting tokens usually fall within the security token category and remain subject to the traditional regulatory framework for financial instruments.

NFT issuers are not subject to specific issuance obligations, provided the NFTs are genuinely unique. However, where their issuance is coupled with the provision of related services, the Czech AML Act obligations applicable to virtual asset service providers may be triggered, potentially requiring authorisation from the FAU.

The regulatory regime for trading platforms depends on the type of blockchain asset being traded. The two primary frameworks are mutually exclusive: MiCA governs platforms trading crypto-assets, while MiFID II/CMUA governs platforms trading security tokens. The Czech AML Act may govern platforms providing services related to NFTs.

Crypto-asset platforms must obtain a licence from the CNB. Only legal entities established in the EU may provide such services, with a single licence passportable across all member states. Platforms that are fully decentralised with no identifiable intermediary fall outside MiCA’s scope, though the threshold for qualifying as sufficiently decentralised remains unclear. Pure peer-to-peer transactions without any intermediary equally fall outside MiCA.

Security token trading venues fall outside MiCA and must instead obtain authorisation under MiFID II/CMUA, with the CNB as the competent authority. Alternatively, a platform may seek authorisation under the DLT Pilot Regime (see 6.1 Permissible Trading Platforms), which allows trading and settlement of tokenised securities on-chain, and grants certain regulatory accommodations, eg, direct retail investor access. The CNB has already granted such authorisation to the Czech Central Securities Depository.

Platforms facilitating the trading of NFTs may require authorisation from the FAU.

Staking as such is not regulated under MiCA. However, ancillary activities connected with the provision of staking services may in certain cases qualify as a regulated service (eg, custody or administration of crypto-assets on behalf of clients), in which case a licence from the CNB may be required.

Where staking services fall outside MiCA’s scope, the provider may require authorisation from the FAU as a virtual asset service provider.

The CNB has explored whether the pooling of crypto-assets from multiple clients for the purpose of staking could constitute a collective investment scheme. It concluded that classical on-chain staking, where the provider itself performs the validation of transactions, represents a non-financial activity and fund regulation does not apply. However, this conclusion may differ depending on whether ownership of the crypto-assets is transferred to the provider, and whether the provider retains a portion of the staking rewards.

Lending as such is not regulated under MiCA. However, ancillary activities connected with the provision of lending services may in certain cases qualify as a regulated service (eg, custody) in which case, a licence from the CNB may be required.

Where lending services fall outside MiCA’s scope, the provider may require authorisation from the FAU as a virtual asset service provider.

If a platform pools crypto-assets from multiple lenders to on-lend them collectively, the CNB may examine whether this constitutes a collective investment scheme.

Cryptocurrency derivatives qualify as financial instruments under MiFID II and are excluded from MiCA’s scope.

Where a crypto-derivative takes the form of a transferable security, a public offering may also trigger prospectus obligations under the Prospectus Regulation. 

With the growing popularity of perpetual cryptocurrency exchanges usually offering high leverage, ESMA has warned that such products are likely to fall within the scope of the existing national product intervention measures applicable to contracts for difference (CFDs).

Crypto-asset services provided in a fully decentralised manner without any intermediary fall outside MiCA’s scope. However, the scope of this exception remains unclear and difficult to satisfy in practice. Most DeFi platforms retain some degree of centralisation, whether through insiders controlling governance tokens or upgradeable smart contracts controlled by a limited group.

Where a DeFi platform deals with security tokens, such platform would come within the MiFID II/CMUA framework. However, if the service is genuinely provided by autonomous software governed by a decentralised voting mechanism across a large number of anonymous wallets, identifying a liable legal person becomes challenging.

Under Czech law, collective investment funds are generally prohibited from directly investing in crypto-assets, as these do not qualify as eligible assets under the applicable regulatory framework. Investment into certain security tokens may potentially be permissible.

Qualified investor funds offer greater flexibility, but direct crypto-investment remains difficult in practice, due to the reluctance of licensed asset managers and depositaries to service crypto-focused funds.

In practice, Czech cryptocurrency funds gain indirect exposure to blockchain assets through investments in foreign crypto-funds, crypto-related equities or exchange-traded funds.

The term “virtual currency” is defined in the Czech AML Act and refers to crypto-assets that fall under MiCA, as well as to certain NFTs.

Virtual currencies in the traditional sense (ie, tokens functioning solely as a means of exchange on a blockchain) would usually fall into the category of crypto-assets other than asset-racked tokens and e-money tokens, requiring only a white paper prior to issuance.

NFTs fall outside MiCA’s scope. However, entities providing services related to NFTs, such as operating an NFT trading platform or exchange, may require authorisation from the FAU as virtual asset service providers.

That said, the NFT classification must be assessed on a case-by-case basis. Where NFTs are issued in large series, they may slide back within MiCA’s scope. Similarly, an NFT that represents rights in an underlying asset may do so in a manner that qualifies it as a financial instrument.

Stablecoins are regulated under MiCA, which establishes EMTs and ARTs.

EMTs reference a single official currency to stabilise their value. They may only be issued by licensed credit institutions or e-money institutions. Holders have a direct claim against the issuer for redemption in fiat currency. Issuers must maintain reserve assets covering the full outstanding value, of which at least 30% must be held in deposits at a credit institution. The remainder may be invested in highly liquid, low-risk financial instruments with appropriate concentration limits. Paying interest to holders is prohibited.

ARTs reference a basket of assets, currencies or commodities. Issuers must obtain prior authorisation from the CNB, unless they are a credit institution or a de minimis exemption applies. Reserve assets must be segregated, held in safe custody and invested exclusively in highly liquid, low-risk financial instruments. Holders have a right of redemption against the issuer. Paying interest to holders is prohibited.

In both cases, issuers must publish a white paper and notify it to the CNB prior to issuance.

Issuers of EMTs/ARTs exceeding ten million holders or EUR5 billion in outstanding value, fall under enhanced direct supervision by the European Banking Authority (EBA).

Algorithmic stablecoins that maintain their value solely through algorithmic mechanisms, without backing reserve assets, are prohibited.

Banks are obliged to grant third parties who are authorised to provide payment services access to a client’s payment account, subject to the client’s consent. The client may either grant access to their balance and transaction data, or authorise the service provider to initiate a payment transaction on their behalf. Banks must not create any obstacles to third-party provider access to payment accounts.

In view of the continuing problems associated with the practical functioning of open banking, the forthcoming EU Payment Services Regulation will further strengthen these rules, directly addressing Europe’s structural dependence on non-European card schemes and supporting the development of a competitive domestic payment alternative.

Open banking inherently involves the processing of personal financial data, making privacy and security a central concern.

However, banks and technology providers operate within a tightly regulated framework. They are required to hold a licence from the CNB and must maintain robust organisational and technical security measures as a condition of that licence.

The forthcoming new EU payment services framework (PSD3/PSR) will tighten these requirements further, introducing stricter standards for application programming interface (API) security.

Fraud in financial services is primarily governed by the Criminal Code. Determination of fraud requires that a deliberate act of deception or concealment of material facts was committed, causing another person to act to their own detriment, resulting in damage to property.

In the world of financial services, fraud increasingly manifests through sophisticated digital methods.

Current trends monitored by the CNB and the police show that the prevalent tactics involve phishing, smishing and vishing. These methods create a false sense of legitimacy, with fraudsters mimicking the communication styles and visual identities of financial institutions or state authorities to harvest sensitive log-in credentials or payment card details, or to persuade victims to insert money into bitcoin ATMs.

These techniques are frequently enhanced by spoofing, which allows the fraudster’s phone number to appear as the official contact line of a legitimate institution.

Regulatory focus is primarily centred on mitigating digital financial crime, with particular emphasis on investment fraud and Ponzi-type schemes.

Investment fraud is of special concern given the scale of harm involved (damages can reach billions of CZK and affect large numbers of victims). The National Organized Crime Agency (NCOZ) has dealt with several cases of subsidy fraud involving significant financial damages, where funds were extracted under the pretext of scientific research or technological innovation.

Regulatory attention is also directed towards crimes related to cryptocurrencies. These have become a key tool for anonymising financial transactions, especially in the context of money laundering and fraudulent schemes. Perpetrators employ social engineering techniques, deepfake technologies and phishing campaigns to gain access to victims’ assets.

Of significant concern is the misuse of cryptocurrency mixers, which help disperse traces of transactions and make the detection of criminal activity more difficult.

Fintech service providers are generally required to perform their services with due professional care and are liable for damages arising from any breach of their statutory or contractual obligations.

Payment service providers are liable for unauthorised, unexecuted or incorrectly executed transactions. Where losses result from a lost or stolen payment instrument, the payer’s liability may be capped at EUR50. 

The new EU payment services framework (PSD3/PSR) will expand provider obligations. Key measures include an obligation to verify consistency between a payee’s IBAN and name prior to execution and the introduction of a cross-provider fraud data sharing mechanism.