There are no formal licensing requirements in Cuba in the electronic commerce sector. However, Cuba has only one online trading platform called Tuenvio.cu, which is managed by the state-owned company CIMEX. This, indirectly, represents a restriction that excludes foreign companies that want to seek licenses to manage an electronic commerce platform.

According to Art. 8 of Decree-Law 370, the Ministry of Communications issues licenses to providers of services related to the computerisation of Cuba so that they can project, install, maintain and market computer programs and applications according to the conditions set forth in the law.

Resolution No. 127/2019 establishes the regulations governing the organisation, operation, and issuance of operating licences for providers of public internet hosting services in the national territory. Art. 5 provides that the licence is granted by the "Unidad Presupuestada Técnica de Control del Espectro Radioeléctrico del Ministerio de Comunicaciones" (UPTCER).

According to Art. 2 of Resolution No. 153, all entities established in Cuba to carry out export or import activities must be registered in the National Registry of Exporters and Importers.

Law No. 149/2022 on Personal Data Protection establishes a comprehensive framework for the regulation of personal data in Cuba. While the Law does not create a dedicated data protection authority, it assigns responsibility for ensuring compliance to the Ministry of Justice (MINJUS).

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the traces of the use of the access credentials should be preserved for a period of at least one year.

Art. 18 of Decree-Law No. 35/2021 obliges telecommunications and ICT operators or providers to supply the Ministry of Communications with whatever information it considers necessary to fulfil its functions, and to provide the institutions responsible for national security, defence and public order, namely the ministries of the Revolutionary Armed Forces and of the Interior and the National Civil Defence Staff, with the technical facilities and services they may require. Art. 68 further requires such operators and providers to ensure that their operating systems, equipment and devices, including those they intend to import or manufacture, offer the facilities required for technical supervision and control and for the lawful interception of communications by the competent authorities in accordance with statutory provisions, as well as the sovereign use of methods and means for securing systems and services. Art. 128 additionally mandates that legal and natural persons subject to inspection in the telecommunications or ICT sphere or in the use of the radio spectrum must cooperate with supervisory officials by providing requested books, records, documents and access to equipment installations, and by permitting examination of all elements related to the services or activities they conduct and any relevant data or background information in their possession, without prejudice to constitutionally recognised rights. None of these provisions requires a judicial warrant or court order.

A basic legal framework on intermediary liability for copyright infringement is absent in Cuba's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Cuba's law and jurisprudence.

It is reported that access to web access points such as Wi‑Fi hotspots, cybercafés and public access centres requires users to register with their personal identification information.

Art. 60 of Decree-Law No. 360/2019 establishes that computer systems in which access is possible by multiple users should implement a personal and unique user identifier. The article adds that the people to whom user identifiers are assigned are responsible for the actions realised with their user identifier. In the event of termination of the employment relationship or other causes determined by the entity managing the computer system, the user identifier should be eliminated. In all cases, the the traces of use of the access credentials should be preserved for a period of no less than one year.

It is reported that Cuba’s approach to SIM registration obliges mobile network operators to collect and store users’ personal information, including proof of identity; however, the relevant legislation could not be located.

According to Art. 51 of Decree-Law No. 360/2019, providers and operators must:
- block the sending, receiving or transmission of harmful mass messages that are sent through their networks and use their services;
- Temporarily suspend for up to a month communications between their networks and those established with the networks of foreign operators or providers that do not adopt the necessary measures to prevent the traffic of harmful mass messages, which is notified within 72 hours after to its suspension and, in the same term, report to the Ministry of Communications;
- Temporarily suspend for up to one month the service provided to users responsible for sending harmful mass messages, which is notified within 72 hours after its suspension and, in the same period, informs the Ministry of Communications, the agencies of the Ministry of the Interior or the Office of the Attorney General of the Republic.
In Art. 53, the Decree establishes that any natural or legal person who transports them or mediates in their dissemination or transmission or has influenced their content is responsible for sending harmful mass messages if, through their technical means, they had known it and did not avoid its transportation, dissemination, transmission, sending and forwarding.

According to Art. 69 of Decree-Law No. 35, telecom operators and providers, in coordination with authorities, must implement technical measures to minimise risks associated with their networks and services. They must also interrupt services if used to harm other operators or countries, transmit false, offensive, or harmful information, or content that is sexual, discriminatory, harassing, invades privacy, or affects personal dignity, identity, integrity, public morality, public order, or is used for illegal acts, irrespective of any resulting criminal, civil, or administrative liability.

It is reported that certain messaging applications showed signs of blocking during the period from 1 June 2024 to 31 May 2025.
The blockings are most likely implemented in accordance with Art. 69 of Decree-Law No. 35/2021, which stipulates that public telecommunications and ICT service operators and providers, in coordination with the competent authorities, shall implement technical operational and supervisory measures to minimise the risks associated with the use of their networks and services, or to suspend such services when they are employed in a manner that affects the networks or services of other operators or countries. This includes instances in which such networks or services are used to disseminate false or offensive information, material detrimental to human dignity, sexual or discriminatory content, or content that incites harassment; that infringes personal or family privacy, or compromises an individual’s image, voice, identity, integrity, or honour; that threatens collective security, general welfare, public morality, or respect for public order; or that serves as a means for committing unlawful acts, irrespective of any ensuing criminal, civil, or administrative liability.