On December 6, 2024, the Chamber of Deputies of the Czech Republic approved the Act on Digitalisation of the Financial Market (ZDFT), which represents an important step in adapting the Czech legal framework to European regulations in the area of digital financial markets.
The Act responds to the challenges associated with the application of Regulation (EU) 2022/2554 of the European Parliament, the Council on the Digital Operational Resilience of the Financial Sector (DORA), Regulation (EU) 2023/1114 of the European Parliament, and of the Council on Markets in Crypto Assets (MiCA). The aim of the ZDFT is to create a solid foundation for the application of these regulations in the Czech context, and thus ensure the stability and security of digital financial transactions.
Here, we present the main features of the new law, its practical implications, and the specifics of Czech regulation in the area of digital finance and crypto assets – including the role of the Czech National Bank (CNB) as a key regulator in this rapidly developing sector.
Position of the Czech National Bank on sanctions
One of the key aspects of this legislation is the role of the CNB, which will become the sole and common authority under both regulations. The CNB will not only oversee compliance with the new rules, but also supervise service providers in the field of crypto-assets and other digital finance. Further, all incidents under DORA are to be reported to the CNB, as the Czech Republic did not make use of the discretion to create Computer Security Incident Response (CSIRT) teams.
Czech legislators ensured that the CNB is equipped with relevant powers (such as those based on Articles 94 and 111 MiCA) by either specifically listing them in the ZDFT, or relying on the powers that CNB has already been granted. The legislature grants additional powers to the CNB, including:
- The power to impose specific interim measures in cases concerning the prevention of market abuse (Title VI MiCA). The CNB may order, by way of a preliminary measure, that no transfers of the assets or funds in question be carried out if a person is the subject of sanction proceedings. This applies to the person holding the individual’s crypto-assets, the crypto-assets that have been transferred by the individual, and the bank or credit union holding the individual’s account or the account to which they have transferred funds.
- Enforcement fines. Compliance with corrective measures is enforced by the CNB through the successive imposition of enforcement fines. The amount of each fine may not exceed approximately EUR 200,000 (CZK 5,000,000), and the aggregate amount may not exceed approximately EUR 800,000 (CZK 20,000,000).
- The CNB’s ability to maintain its own registers under MiCA. In other words, registries of white papers, stablecoin issuers, cryptocurrency-related service providers, among others. However, these lists will be informative only, and the primary information will always be the information contained in the registers maintained by the European Securities and Markets Authority (ESMA) pursuant to Articles 109 and 110 MiCA.
Furthermore, the CNB is authorized to impose a range of sanctions for offences, which may consist of violations of DORA or MiCA, as well as violations of the ZDFT. The Czech legislation has not used the possibility of imposing criminal sanctions for violations of the regulation either in the case of DORA (Article 52) or MiCA (Article 111(1)). At the same time, however, the addressees of these regulations may still commit offences generally related to their activities, eg, the offence of unauthorized business.
The obligation to sanction offences by a financial entity consisting of a breach of DORA derives directly from this regulation, but the level of sanctions has been left to the individual states. While the standard fines in EU financial services legislation are often millions of euros, the amounts in the case of the ZDFT are of lower magnitude, particularly due to the fact that DORA also applies to much smaller entities, such as banks. The maximum fine for breaches of DORA is up to CZK 50,000,000 (approximately EUR 2,000,000 as of January 2025), which may be imposed for failure to comply with the risk management framework, failure to implement an information and communication technology business continuity policy, failure to comply with the notification obligation under Article 19 of DORA, or failure to comply with the digital resilience testing obligation.
With respect to the offenses and penalties for MiCA violations, the legislature was required to follow the requirements set forth in the MiCA. In all cases, the ZDFT provides for the lowest possible penalties allowed by the regulation. The penalties have been expressed in CZK in the Czech law, based on the exchange rates from December 29, 2023. However, it is worth noting that due to the movement of the exchange rate between CZK and EUR from June 29, 2023 to January 2025, when the Czech koruna appreciated against the EUR, the penalties as of January 2025, when converted into EUR, are even lower than the EUR amounts otherwise provided for in the MiCA Regulation.
For natural persons, the maximum penalty is CZK 118,475,000 (approximately EUR 4,700,000 as of January 2025) or three times the amount of the undue benefit. For legal persons, the maximum penalty is CZK 355,425,000 (approximately EUR 14,100,000 as of January 2025), or 15 percent of the total annual turnover of the offender, or three times the amount of the undue benefit.
Provision of services related to crypto-assets
The Czech Republic has not exercised its discretion to shorten or exclude this grandfather clause (143(3) MiCA), but specified that it would only apply to providers who operated on the basis of the free trade "provision of services related to virtual assets" under Act No. 455/1991 Coll, Trade Licensing Act, as of December 30, 2024.
In terms of the specifics of the performance of activities related to crypto-assets markets, the ZDFT first specifies the application of the requirements arising from MiCA in the Czech legal order, in particular its connection to other applicable Czech acts, such as Act No. 370/2017 Coll. on payment transactions (Payment Transactions Act) regarding stablecoins, or Act No. 182/2006 Coll., the Insolvency Act, regarding the protection of asset reserves at stablecoins and any funds collected from holders.
The obligation of service providers to periodically inform the competent supervisory authority (ie, the CNB) of the facts listed in Article 67 MiCA will be fulfilled in the Czech legal environment by submitting officially audited financial statements four months prior to the end of the accounting period.
Further, individual Member States have been given the power to set requirements for the competence of service providers under MiCA (81(7) MiCA). In the context of the ZDFT, this includes knowledge of the regulation and provision of services related to crypto-assets, as well as the ability to properly explain the nature of crypto-assets and information relating to crypto-assets or crypto-related services to the customer, and to provide recommendations. The legislator further states that as the crypto-asset market has a large variability of assets, a basic understanding of the structure, entities, and functioning of this market is required. They state that the provider should have a sufficient overview of the basic investment and payment assets offered in the market, particularly in the EU market.
In addition to MiCA, the ZDFT introduces an obligation for service providers to have the adequacy of the measures taken to protect assets, in particular entrusted funds, verified by the law governing auditing activities, with a report on this verification to be provided to the CNB without delay.
By Tomas Scerba, Partner, and Jan Metelka, Associate, DLA Piper
