Art. 19 (e) of Resolution No. 179/08 requires that Internet access service providers must ensure that software with cryptographic systems or encrypted file transfer is not used.

Art. 21.8 of Resolution No. 99/2019 stipulates that applicants for an operating licence for private data networks must provide information concerning the cryptographic protocols and algorithms used to protect communications, which must have been authorised by the competent authority. Art. 27.l further requires holders to obtain approval for the use of any supported application or service that employs cryptographic methods for protecting transmitted information, with holder referring to the person authorised by the Ministry of Communications to provide private data transmission services through a private telecommunications network. Art. 2 defines a private data network as a telecommunications network whose infrastructure is installed within a single locality or across multiple geographically distinct localities interconnected by telecommunications links for the purpose of meeting the data service needs of its holder.

Although Law 118 on foreign investment does not restrict investments in the online commerce sector, the state company CIMEX, with its company Tuenvio.cu, is the only platform that offers online purchases in Cuba.

Art. 12 of Decree-Law No. 22/2020 establishes a quantitative limitation on non-commercial imports by providing that the total value of the goods contained in each consignment may not exceed USD 200.

In June 2020, Cimex Corporation notified all users of the "tuenvio.cu" e-commerce platform via email about new regulations for online purchases. According to these updated regulations, users of the Tuenvio.cu platform, which facilitates e-commerce in Cuba, is limited to one purchase per day for food and toiletries combos. These restrictions were outlined in Cimex's online shopping guide, which is available on the Tuenvio.cu platform, ensuring customers were aware of the daily purchase limits.

There are no formal licensing requirements in Cuba in the electronic commerce sector. However, Cuba has only one online trading platform called Tuenvio.cu, which is managed by the state-owned company CIMEX. This, indirectly, represents a restriction that excludes foreign companies that want to seek licenses to manage an electronic commerce platform.

Law 149/2022 includes provisions for cross-border data transfer and outlines that there are only five specific exceptions for data transfers outside the country. The cross-border data transfer is therefore only allowed in the case of international judicial cooperation, exchange of medical data when necessary for the treatment of the data subject, bank or stock exchange transfers about the relevant transactions, under applicable international treaties, and if the transfer of data is for the purpose of international cooperation in the fight against crime (Art. 65.1). In addition, Art. 66 grants to certain authorities the competencies to authorise the international transfer of personal data in other circumstances.

Cuba has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 149/2022 on Personal Data Protection establishes a comprehensive framework for the regulation of personal data in Cuba. While the Law does not create a dedicated data protection authority, it assigns responsibility for ensuring compliance to the Ministry of Justice (MINJUS).

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the traces of the use of the access credentials should be preserved for a period of at least one year.

Art. 18 of Decree-Law No. 35/2021 obliges telecommunications and ICT operators or providers to supply the Ministry of Communications with whatever information it considers necessary to fulfil its functions, and to provide the institutions responsible for national security, defence and public order, namely the ministries of the Revolutionary Armed Forces and of the Interior and the National Civil Defence Staff, with the technical facilities and services they may require. Art. 68 further requires such operators and providers to ensure that their operating systems, equipment and devices, including those they intend to import or manufacture, offer the facilities required for technical supervision and control and for the lawful interception of communications by the competent authorities in accordance with statutory provisions, as well as the sovereign use of methods and means for securing systems and services. Art. 128 additionally mandates that legal and natural persons subject to inspection in the telecommunications or ICT sphere or in the use of the radio spectrum must cooperate with supervisory officials by providing requested books, records, documents and access to equipment installations, and by permitting examination of all elements related to the services or activities they conduct and any relevant data or background information in their possession, without prejudice to constitutionally recognised rights. None of these provisions requires a judicial warrant or court order.

A basic legal framework on intermediary liability for copyright infringement is absent in Cuba's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Cuba's law and jurisprudence.

It is reported that access to web access points such as Wi‑Fi hotspots, cybercafés and public access centres requires users to register with their personal identification information.

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the the traces of use of the access credentials should be preserved for a period of no less than one year.