The European AI Act is already in force as a directly applicable EU regulation, but to make it really work in practice, each country needs to set up a “national engine”: who will oversee how the procedure will run, who will be the point of contact, how high-risk AI will be tested and how sanctions will be imposed. This is what the MIT draft law on AI is intended to address in the Czech Republic.
The EU AI Act (Regulation (EU) 2024/1689) is a directly applicable regulation – similar to the GDPR. This means that the main rules for AI (risk categorisation, obligations of providers and deployers, prohibitions of certain practices, rules for high-risk systems, transparency requirements, etc.) are written directly in the European regulation and apply across the Union. However, some of its provisions are phased in
It’s just that even a “directly applicable” regulation needs to add practical things in each country, which the EU leaves to the member states – typically:
This is exactly what the Czech draft law on artificial intelligence aims to address. According to the summary of expert practice, it is supposed to be a regulation that will complement the AI Act, in particular on supervision, authorisation/testing processes and sanction mechanisms.
At the same time, the Ministry of Industry and Trade (MIT) communicates that it wants to follow a “minimalist” path: i.e. not to rewrite the obligations from the AI Act into the Czech law, but to add only what is needed to operate in the Czech Republic, while not hampering innovation with unnecessary administration.
The most important practical question for companies and authorities is: Who will control me and where do I turn when I solve a problem? The proposal divides competences among several institutions to build on their existing expertise (finance, telecommunications, personal data, etc.).
The expert summaries and the text of the proposal show the following basic model:
Practical implications for companies: when developing or deploying AI, it is not enough to know only the AI Act. You will need to know which authority has jurisdiction over your case (and when a case may “spill over” between authorities). The proposal even foresees an exchange of information between the CTU and the OIA when inspections or proceedings are initiated.
Are you using AI in your company or are you just considering it? Are you unsure if your tool falls under high-risk AI, who will supervise you, or how to prepare for an inspection under the AI Act and the Czech AI Act? Send us your question and get an answer within 24 hours.
In practice, “high-risk” systems – i.e. AI that can significantly interfere with people’s lives (typically in the areas of employment, education, healthcare, critical infrastructure, public services, etc.) – are the most addressed. The AI Act imposes the toughest obligations on them.
The Czech Adaptation Act does not go into detail on the technical requirements themselves (these are in the AI Act), but addresses the procedural framework of two key situations:
A) Operation of high-risk AI even without a conformity assessment (exceptional regime)
The proposal contains a procedure for authorising the placing on the market or operation of a high-risk AI system without a conformity assessment, providing that only the applicant is a party to the procedure and setting a decision period of up to 120 days.
This is important: it is not a “free pass” without rules, but a formal process in which the Authority examines whether the conditions are met and can amend or revoke the authorisation if the conditions are not subsequently met.
B) Testing high-risk AI in real-world conditions
The second big thing is the approval of testing high-risk AI in real-world conditions (so-called real-world testing). Again, the proposal sets up the procedure so that only the applicant is a participant and sets a time limit of up to 90 days for complex cases.
In practice, this is essential for companies that want to test AI on “live data” or with real users, but also need legal certainty that they are doing the right thing and that any risk is managed.
What to take away from this:
A regulatory sandbox is the concept of a “controlled environment” where an innovation can be tested with the supervision and methodological support of the state. For AI, this is particularly useful when the product is on the edge of a high-risk category, working with sensitive scenarios (e.g. biometrics, HR, scoring) or you need to safely verify user and compliance impacts.
The Czech proposal explicitly foresees a sandbox. According to the text of the proposal, the role of the founder is to be performed by the ÚNMZ and the operator is to be the Czech Standards Agency. The expert summaries add that it is to be a tool designed especially for small and medium-sized enterprises and that it will allow testing in a real environment with real clients.
One legal detail that is often overlooked is very practical: participation in the sandbox is not to be “by entitlement”. On the contrary, it is foreseen that participation will only arise on the basis of a contract and the mere submission of an application/offer does not mean automatic acceptance; the conditions and criteria will be published by the operator.
For companies, this means that the sandbox can be a strategic “bridge” between development and the market, but selection criteria and contractual settings (responsibilities, data, confidentiality, testing regime) have to be taken into account.
Tip: Were you surprised that your lawyer asked you for a certified signature, a copy of your ID and information about your income? You’re not alone. However, under the so-called AML law, these steps are not at the discretion of the attorney. What else should you know about the AML law?
The AI Act contains high fines and a generally strict sanction framework. The Czech draft law builds on this by adding procedural and institutional aspects of enforcement: who hears offences, who collects the fine, how the statute of limitations runs, etc.
A useful “softer” intermediate step follows from the technical summary: if someone violates an obligation in a less serious way, the supervisory authority can first give him a warning and invite him to remedy, with a deadline for remedy of no less than 15 days from the receipt of the warning.
This is important for compliance in practice: it gives room to correct the error (e.g. complete documentation, adjust internal process, improve user information) before going full “sanction” mode.
The proposal itself then also addresses the technical details that make the difference in real life:
Simply: the Czech law is supposed to be a “guide to the application” of the penalty part of the AI Act on Czech territory – who, how and in what procedure.
If you are a company, the AI Act may affect you in several roles: you may be a provider (you develop or market AI), a deployer/operator (you use AI in your company), or an importer/distributor. While the Czech draft law does not add extra “new technical obligations” for you (these are in the AI Act), it fundamentally changes two things:
Examples:
A company deploys a tool that sorts CVs and recommends candidates. If it falls into high-risk AI mode, “it works” is not enough. You’ll be dealing with internal documentation, risk management, transparency to candidates – and in practice, who your supervisory authority is if a complaint comes in (in some scenarios, the OSC may also play a role).
The bank or fintech uses AI to assess creditworthiness. Here, it is realistic that the supervision will fall under the CNB as it is an entity subject to its supervision. The mistake we see most often: the product team only addresses the “model” but does not legally address the role of the organization (who is the provider, who is the deployer) and who is responsible for compliance.
MIT also publicly anticipates that the bill could be effective during 2026 (depending on the legislative process).
The Czech draft law on artificial intelligence is a so-called “artificial intelligence bill”. the Czech AI Bill is an adaptation law to the European AI Act, which will mainly set practical rules for supervision, management and enforcement in the Czech Republic, not new technical requirements for AI itself; designate the main supervisory authorities (in particular the Czech Telecommunications Office as a single point of contact, the CNB for the financial sector and the Office for Personal Data Protection); and regulate the processes for authorising the operation and testing of high-risk AI systems in real-life conditions with fixed deadlines (typically 90 to 120 days), introduce a regulatory sandbox as a controlled environment for safe testing of innovations, set rules for offences and penalties, including the possibility to call for remedies first and impose fines later, while giving companies and public institutions a clearer legal framework on who and how they will interact with when developing, deploying or using AI in practice; the law is expected to come into force during 2026 and its main objective is to ensure the enforceability of the AI Act in the Czech environment without unnecessary administrative burdens.
In common parlance, yes, but legally it is more accurate to say “adaptation” law. The AI Act, as an EU regulation, applies directly; the Czech law is mainly intended to supplement the institutional and procedural aspects (supervision, management, sanctions, sandbox).
The proposal envisages that the primary role and the single point of contact will be the Czech Telecommunications Office, with additional roles for the CNB and the OCC.
The proposal addresses processes for exceptional situations where high-risk AI is allowed to operate without a conformity assessment, as well as the approval of real-world testing.
Both the expert summaries and the proposal work with indicative timeframes: typically up to 90 days for testing in particularly complex cases, up to 120 days for operating permits.
The Sandbox is intended to be a controlled testing environment. The proposal foresees that the founder will be the ÚNMZ and the operator will be the Czech Agency for Standardization; the participation is to be contractual and non-cost.
The proposal also foresees a “softer” procedure: for less serious infringements, the supervisory authority may first give a warning and a reasonable period of time to remedy (at least 15 days). Then the infringement/penalty mechanisms come into play.
In the technical summaries and communication around the proposal, it is expected to take effect during 2026, but the exact date will depend on the legislative process.
Our team of experienced attorneys will help you solve any legal issue. Within 24 hours we’ll evaluate your situation and suggest a step-by-step solution, including all costs. The price for this proposal is only CZK 690, and this is refunded to you when you order service from us.
Ondřej is the attorney who came up with the idea of providing legal services online. He's been earning his living through legal services for more than 10 years. He especially likes to help clients who may have given up hope in solving their legal issues at work, for example with real estate transfers or copyright licenses.
In person and online. Just choose the appropriate service or opt for an independent consultation when you are unsure.
