It is reported that Decree No. 2025/2015 creates burdensome restrictions and administrative requirements for trade in mobile phones. The Decree establishes measures to control the import and export of intelligent mobile phones, cellular mobile phones, and their parts, susceptible to classification under Customs Tariff subheading 8517.12.00.00 and 8517.70.00.00, as part of its strategy to address the theft of mobile phones.
In particular, the decree mandates that each mobile phone have a government-issued International Mobile Equipment Identity (IMEI) verification certificate at the time of import and requires all importers and exporters to pre-register with the National Police in order to trade in mobile phones.
Chapter I of Decree No. 2025 establishes the import conditions of mobile phones. According to Art. 3, mobile phones whose IMEI is registered in the databases referred to in Art. 106 of No. Law 1,453 of 2011 may not be imported. But, importation is permitted if: (a) it is an IMEI reported in the positive database, (ii) in the case of import in compliance with a guarantee or (iii) the re-import of previously exported phones. Also, intelligent mobiles can be imported if the travellers carry them when entering the national territory as a personal possession (and no more than three units). Importation is also allowed under the modality of postal traffic and urgent shipments if it is just one mobile/intelligent phone that fulfils customs regulations."
Art. 1 of Decree No. 2,142 amended Art. 3 of Decree No. 2025/2015 (Chapter I), yet the conditions for importing mobile phones remain largely unchanged. While these restrictions predate the amendment, Decree No. 2,142 introduced a more lenient regime allowing the import under the modality of postal traffic and urgent shipments if it is just one mobile/intelligent phone that fulfils customs regulations.

The country does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there has been an obligation of accounting separation since 2009. According to Arts. 64 and 65 of Law No. 1,341 "Issues principles and concepts on the information society and the organization of Information and Communication Technologies (ICT), creates the National Spectrum Agency [...]" (Ley No. 1341 Por la cual se definen principios y conceptos sobre la sociedad de la información y la organización de las Tecnologías de la Información y las Comunicaciones (TIC), se crea la Agencia Nacional de Espectro [...]), the operators must keep separate accounting. They would be subject to specific sanctions if they do not comply with the requirement.
In addition, according to Arts. 9.1.2.1. and 9.1.2.2. of Resolution 5050 of 2016 (as amended by Art. 1 of Resolution No. 5589 of 2019), Telecommunications Network and Service Providers and/or Pay TV Operators are obliged to adopt separate accounting schemes in compliance with Art. 22 (numeral 19) and Art. 64 (numeral 8) of Law No. 1,341 of 2009.

Colombia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Colombia has a telecommunications authority: the Communications Regulation Commission (CRC, Comisión de Regulación de Comunicaciones). However, it is reported that the decision-making process of this entity is not fully independent from the government.

According to Art. 26 of Law No. 1,581, cross-border transfer of personal data is forbidden unless it is made to a country that offers adequate levels of data protection, as defined by the Colombian data protection authority. The prohibition does not apply in certain cases, including when the data subject authorises the cross-border transfer or when medical data is required for health or public hygiene reasons. According to the law, the institution in charge, "Superintendencia de Industria y Comercio" (SIC), establishes the standards regarding international data transfers.
Pursuant to Section 3.2 of External Circular No. 005/2017, as amended by External Circular No. 002/2018, the jurisdictions recognised as providing an adequate level of data protection include EU Member States, as well as Australia, Costa Rica, Japan, Iceland, Norway, Peru, Serbia, the Republic of Korea, the United Kingdom, and the United States.

Art. 5 of Law No. 1,266 establishes that a personal data transfer between data bank operators is permitted when authorisation is obtained from the data subject or when the destination database has the same purpose as the operator that delivers the data. If the receiver of the data is a foreign data bank, the delivery without authorisation must be done with a written record and due verification that the laws of the recipient of the information offer guarantees for the protection of the rights of the data subject.

According to Art. 13.11 of the First Amending Protocol, which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance, the four parties (Chile, Colombia, Peru and Mexico) commit to allowing cross-border information transfers through electronic means, including also the transfer of personal data for business activities. Moreover, in Art. 13.11 bis, the parties commit to ban forced localisation of computer facilities in their national territories.

The country has two main instruments regulating data protection: Law No. 1,581 and Decree No. 1,377. Law No. 1,581 establishes the guiding principles of data protection (such as finality, transparency, and confidentiality). Decree No. 1,377 complements and modifies Law No. 1,581. In addition, Law No. 1,266 developed the habeas data, particularly regarding financial, credit, commercial, services, and information from third countries.

Pursuant to Art. 4 of Decree No. 1,704, telecommunications providers must keep and store for a period of five years subscribers' personal information, such as identity, billing address, and connection type. This information must be available to the Attorney General or any competent authority in the context of a criminal investigation.

According to Art. 23 of Decree 1,377, controllers and processors should appoint a person or function within the company that assumes responsibility for the protection of personal data, tasked with reviewing and solving claims made by data subjects. Furthermore, Title VI of Law No. 1,581 establishes the duties of those responsible for data treatment and in charge of data treatment.

Concerns have been raised regarding the effectiveness of online copyright enforcement in Colombia. Digital piracy remains widespread, and the authorities have not significantly reduced the availability of free-to-air devices, community antenna systems, and unlicensed Internet Protocol Television (IPTV) services that enable the large-scale retransmission of otherwise licensed content to non-subscribers. Stakeholders further report that piracy of licensed content via mobile applications continues to expand and constitutes an increasing challenge.

Colombia has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

Colombia has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Laws No. 256, Andean Community Decision No. 486, and the Penal Code collectively constitute Colombia’s core framework for the protection of trade secrets. Arts. 260–266 of Decision No. 486 provide the principal substantive definition of "secreto empresarial", grounding protection in three cumulative elements: the information must be secret, possess commercial value by virtue of its secrecy, and be subject to reasonable measures designed to preserve its confidentiality. These provisions clarify that protectable trade secrets may relate to, inter alia, products, production processes, and methods of distribution or service delivery. They also prohibit the unauthorised acquisition, use, or disclosure of protected information in a manner contrary to honest commercial practices, characterising misappropriation as a form of unfair competition.
In addition, Art. 16 of Law No. 256 punishes the violation of trade secrets and Art. 308 of the Penal Code defines the violation of trade secrets and establishes a sanction.

According to Title IV of Resolution CRC 5050, there is an obligation for passive infrastructure sharing in the country to deliver telecom services to end users. Moreover, passive infrastructure sharing is practised both in the mobile and fixed sectors based on commercial agreements.