There are no formal licensing requirements in Cuba in the electronic commerce sector. However, Cuba has only one online trading platform called Tuenvio.cu, which is managed by the state-owned company CIMEX. This, indirectly, represents a restriction that excludes foreign companies that want to seek licenses to manage an electronic commerce platform.

Law 149/2022 includes provisions for cross-border data transfer and outlines that there are only five specific exceptions for data transfers outside the country. The cross-border data transfer is therefore only allowed in the case of international judicial cooperation, exchange of medical data when necessary for the treatment of the data subject, bank or stock exchange transfers about the relevant transactions, under applicable international treaties, and if the transfer of data is for the purpose of international cooperation in the fight against crime (Art. 65.1). In addition, Art. 66 grants to certain authorities the competencies to authorise the international transfer of personal data in other circumstances.

Cuba has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 149/2022 on Personal Data Protection establishes a comprehensive framework for the regulation of personal data in Cuba. While the Law does not create a dedicated data protection authority, it assigns responsibility for ensuring compliance to the Ministry of Justice (MINJUS).

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the traces of the use of the access credentials should be preserved for a period of at least one year.

Art. 18 of Decree-Law No. 35/2021 obliges telecommunications and ICT operators or providers to supply the Ministry of Communications with whatever information it considers necessary to fulfil its functions, and to provide the institutions responsible for national security, defence and public order, namely the ministries of the Revolutionary Armed Forces and of the Interior and the National Civil Defence Staff, with the technical facilities and services they may require. Art. 68 further requires such operators and providers to ensure that their operating systems, equipment and devices, including those they intend to import or manufacture, offer the facilities required for technical supervision and control and for the lawful interception of communications by the competent authorities in accordance with statutory provisions, as well as the sovereign use of methods and means for securing systems and services. Art. 128 additionally mandates that legal and natural persons subject to inspection in the telecommunications or ICT sphere or in the use of the radio spectrum must cooperate with supervisory officials by providing requested books, records, documents and access to equipment installations, and by permitting examination of all elements related to the services or activities they conduct and any relevant data or background information in their possession, without prejudice to constitutionally recognised rights. None of these provisions requires a judicial warrant or court order.

A basic legal framework on intermediary liability for copyright infringement is absent in Cuba's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Cuba's law and jurisprudence.

It is reported that access to web access points such as Wi‑Fi hotspots, cybercafés and public access centres requires users to register with their personal identification information.

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the the traces of use of the access credentials should be preserved for a period of no less than one year.

It is reported that Cuba’s approach to SIM registration obliges mobile network operators to collect and store users’ personal information, including proof of identity; however, the relevant legislation could not be located.

According to Art. 51 of Decree-Law No. 360/2019, providers and operators must:
- block the sending, receiving or transmission of harmful mass messages that are sent through their networks and use their services;
- Temporarily suspend for up to a month communications between their networks and those established with the networks of foreign operators or providers that do not adopt the necessary measures to prevent the traffic of harmful mass messages, which is notified within 72 hours after to its suspension and, in the same term, report to the Ministry of Communications;
- Temporarily suspend for up to one month the service provided to users responsible for sending harmful mass messages, which is notified within 72 hours after its suspension and, in the same period, informs the Ministry of Communications, the agencies of the Ministry of the Interior or the Office of the Attorney General of the Republic.
In Art. 53, the Decree establishes that any natural or legal person who transports them or mediates in their dissemination or transmission or has influenced their content is responsible for sending harmful mass messages if, through their technical means, they had known it and did not avoid its transportation, dissemination, transmission, sending and forwarding.

According to Art. 69 of Decree-Law No. 35, telecom operators and providers, in coordination with authorities, must implement technical measures to minimise risks associated with their networks and services. They must also interrupt services if used to harm other operators or countries, transmit false, offensive, or harmful information, or content that is sexual, discriminatory, harassing, invades privacy, or affects personal dignity, identity, integrity, public morality, public order, or is used for illegal acts, irrespective of any resulting criminal, civil, or administrative liability.

It is reported that certain messaging applications showed signs of blocking during the period from 1 June 2024 to 31 May 2025.
The blockings are most likely implemented in accordance with Art. 69 of Decree-Law No. 35/2021, which stipulates that public telecommunications and ICT service operators and providers, in coordination with the competent authorities, shall implement technical operational and supervisory measures to minimise the risks associated with the use of their networks and services, or to suspend such services when they are employed in a manner that affects the networks or services of other operators or countries. This includes instances in which such networks or services are used to disseminate false or offensive information, material detrimental to human dignity, sexual or discriminatory content, or content that incites harassment; that infringes personal or family privacy, or compromises an individual’s image, voice, identity, integrity, or honour; that threatens collective security, general welfare, public morality, or respect for public order; or that serves as a means for committing unlawful acts, irrespective of any ensuing criminal, civil, or administrative liability.

The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 2 in Cuba for the year 2024. This corresponds to "The government shut down domestic access to the Internet several times this year."