CZECH REPUBLIC Law and Practice Contributed by: Stanislav Šimek, Vojtěch Mlynář and Jakub Dostál, BADOKH
However, legacy players benefit from certain advan - tages in some areas. Under MiCA, some legacy play - ers who are already licensed do not need to obtain a separate licence to provide crypto-asset services or issue e-money tokens. 2.5 Regulatory Sandbox In early 2026, the CzechInvest Fintech Regulatory Sandbox entered its main operational phase, becom - ing the first comprehensive state initiative aimed at systematically supporting financial innovations. At present, 21 projects have been selected for the programme, which is focused on testing new finan - cial services, tools and unique solutions for the digital economy (such as payment services, accounting and investment and crowdfunding platforms). The sand - box is open primarily to SMEs developing technolo - gies that require regulatory clarification or technologi - cal testing. The timing for the next application round has not yet been announced. 2.6 Jurisdiction of Regulators The CNB serves as the primary regulator for licensed financial market participants, with jurisdiction over banks, payment institutions, e-money institutions, investment firms, insurance companies, crowdfund - ing platforms and the majority of crypto-asset service providers. The CNB issues licences, conducts ongo - ing supervision and may impose sanctions. Where an entity is already supervised by the CNB, the CNB also assumes AML supervisory responsibility. The Office for Personal Data Protection has exclusive jurisdiction over compliance with the EU General Data Protection Regulation (GDPR). The FAU supervises AML compliance for obliged per - sons not otherwise supervised by the CNB and issues registrations for crypto-asset service providers falling outside the scope of MiCA. At the EU level, the European Supervisory Authorities exercise direct supervisory powers in specific areas, most notably over systemically important entities such
as significant stablecoin issuers and critical technol - ogy providers serving financial institutions. 2.7 No-Action Letters Regulators generally do not issue no-action letters. The CNB, however, provides interpretative opinions and guidance notes on the regulatory qualification of specific activities, which offer a degree of regulatory certainty in practice. 2.8 Outsourcing of Regulated Functions Regulated functions may be outsourced, but the outsourcing entity remains fully responsible for all outsourced activities. Prior to outsourcing, the entity must conduct due diligence to assess whether the arrangement increases operational risk, and take all the necessary measures to mitigate such risk. Where the outsourced activities involve technology services provided to a financial institution, the out - sourcing contract must include mandatory provisions covering availability, data access and recovery rights, audit rights, incident management and business con - tinuity obligations, and a duty to co-operate and pro - vide assistance without additional charges. Where personal data is processed by the provider, a GDPR-compliant data processing agreement is required, which must cover purpose limitation, appro - priate technical and organisational security measures, breach notification obligations and mechanisms for the exercise of data subject rights. Outsourcing to a regulated entity is not mandatory but is generally preferable, as regulated providers are already subject to supervisory oversight and tend to have established compliance frameworks. 2.9 Gatekeeper Liability Most fintech providers are treated as gatekeepers under AML rules. They are responsible for monitoring their clients’ transactions on an ongoing basis and reporting suspicious activity. Additionally, entities qualifying as gatekeepers under the EU Digital Markets Act must comply with obli - gations around interoperability, data access and fair
200 CHAMBERS.COM
Powered by FlippingBook