Fintech 2025

CZECH REPUBLIC Law and Practice Contributed by: Ondřej Mikula, Jan Šovar and Markéta Klabouchová, FINREG PARTNERS

2.11 Implications of Additional, Non- Financial Services Regulations Data Protection Regardless of the sector, fintech companies that process personal data must comply with the GDPR (Regulation 2016/679) and the ePri - vacy Directive (Directive 2002/58/EC). In some cases, they must also comply with the Data Act (Regulation 2023/2854), which focuses on data sharing and compensation. Cybersecurity Cybersecurity is crucial for fintechs, which must meet sector-specific requirements (eg, pay - ments, investments, insurance), including robust ICT security measures. From 2025, almost all financial service providers must adhere to DORA’s strict ICT security rules, such as risk management, ICT incident classification and third-party ICT risk monitoring. Finally, the NIS2 Directive (Directive 2022/2555), which repeals the NIS Directive (Directive 2016/1148) as of October 2024, is also impor - tant for some larger companies in the financial sector who provide essential services in the field of cybersecurity (ie, ensuring the proper functioning of the market) as they are subject to specific obligations (eg, vulnerability detection Fintech companies must comply with copyright, advertising laws and regulations like the Digital Services Act (the “DSA” ) (Regulation 2022/2065) and the DMA. While the DSA regulates interme - diaries offering services such as online mar - ketplaces, cloud services or social media plat - forms, and its key objective is to prevent illegal and harmful activities online, the DMA sets out rules to prevent unfair practices by large online platforms (the so-called “gatekeepers” ) that are or incident reporting). Social Media Content

deemed to be too important to be left unregu - lated. The AI Act Another very important piece of legislation for fintech companies is the AI Act (Regulation 2024/1689), which entered into force in August 2024 and will come into force in phases between 2025 and 2027. The AI Act establishes obliga - tions for various persons such as providers, product manufactures, importers, distributors or users (ie, persons who deploy AI systems in the course of their profession) of AI systems with a link to the EU market. The scope of the obligation is risk-based. While excessive risk AI systems are prohibited (eg, social scoring), AI models which do not pose any systemic risk are subject to certain transparency and other gen - eral obligations. Consumer Protection Legislation Local consumer protection legislation, such as the Consumer Credit Act or the Civil Code, which implement various EU directives, are also relevant for industry players that target consum - ers. 2.12 Review of Industry Participants by Parties Other than Regulators Entities with large-scale operations or regulated activities must have their financial statements reviewed by a qualified external auditor. Regu - lated entities like banks, payment institutions, and investment firms are also required to estab - lish compliance, internal risk control and inter - nal audit functions. Some regulated entities are even obliged to subject some of their activities to specific external audits, like customer asset protection measures. In addition to regulators and auditors, various authorities, such as tax authorities, the Financial

181 CHAMBERS.COM

Powered by