Pursuant to Art. 7 of Sub-Decree No. 287 and Joint Notification No. 873, issued by the Ministry of Commerce (MOC) and the Ministry of Posts and Telecommunications (MPTC), registered companies in Cambodia are required to use a local domain name such as ".com.kh" for their websites and email addresses. Furthermore, pursuant to Notification No. 837, issued in April 2022 by the MOC and MEF, all companies operating in Cambodia must use a national second-level domain name and an email address with that domain when filing annual declarations of commercial enterprises. Domain names are valid for 1 year before they must be renewed.

The Law on Consumer Protection and the Law on Electronic Commerce provide a comprehensive framework for consumer protection that also applies to online transactions. According to Art. 27 of the Law on Consumer Protection, it is required for businesses to disclose information related to the kind, grade, safety, quantity, origin, function of use, maintenance, composition, design, assembly, usage, price, packaging, advertising or supplying, manufacturing date and expiry date, information about production or information related to the supply of goods or services. The application of these requirements to e-commerce is confirmed by Art. 33 of the Law on Electronic Commerce, which requires any person using electronic communications for commercial activities with consumers to comply with all other provisions and regulations related to consumer protection.

Cambodia has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Cambodia enacted the E-Commerce Law, drawing upon the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Cambodia has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Art. 15 of the Law on Telecommunications, any person may apply to the Telecommunication Regulator of Cambodia (TRC) for a permit to engage in the importation, exportation, supply, and distribution of telecommunications equipment. Under Art. 16, individuals may also apply to the TRC for a certificate to act as a Qualified Agent (QA) for the import of such equipment.
In addition, under Art. 7 of Sub-Decree No. 110, individuals intending to import, supply, or distribute computer instruments and electronic devices equipped with ICT technology or software must obtain an operational certificate from the General Department of ICT. If the equipment is classified as restricted under Sub-Decree No. 370, an additional import permit is required and must be obtained via the National Single Window online system.
The TRC is the competent authority responsible for issuing licences, certificates, and permits in the telecommunications sector. This includes QA certificates for the import, supply, and distribution of telecommunications and ICT equipment, as well as import permits for items included in the restricted goods list.

Art. 14 of Sub-Decree No. 23 imposes an obligation on National Internet Gateway (NIG) operators to retain traffic data for a year. The National Internet Gateway is the gateway through which all Internet services must be connected, both nationally and internationally. Traffic refers to the amount of data that passes through a network in one second (Annex 1). NIG operators shall maintain technical records, IP address allocation table, and route identification of traffic transiting through NIG for the last 12 months. It is reported that Art. 14 means the operator(s) of the NIG can track the activities of all internet users in Cambodia, including a user’s browser history and unencrypted search history for up to 12 months. Art. 13 imposes an obligation on NIG operators to report and monitor traffic data and submit monthly, quarterly, semi-annual, third-quarterly, and annual traffic reports within seven days after the end of each month, quarter, semester, third-quarter and year to both the Telecommunication Regulator of Cambodia (TRC) and the Ministry of Posts and Telecommunications (MPTC). It is reported that, although the law is in force, it has not yet been implemented in practice.

Art. 6 of the Law on Telecommunications requires that all telecommunications operators and persons involved with the telecommunications sector shall provide "telecommunications information and communication technology service data" to the Ministry of Post and Telecommunications. In practice, this gives the Ministry unfettered rights to demand that all telecommunications service providers provide data on their service users. This could serve as an obligation for companies to surrender data without the requirement of a judicial warrant or other safeguards protecting privacy rights.
Art. 97 of the law permits the secret surveillance of any telecommunications where it is conducted with the approval of a “legitimate authority.” There is no definition of what constitutes a “legitimate authority”. This appears to create a power to secretly eavesdrop without any public accountability or safeguards to protect individuals’ right to privacy.

It is reported that some articles of Sub-Decree No. 23 may require the government to have direct access to personal data collected. Art. 14 establishes that the Ministry of Post and Telecommunications (MPTC) and Telecommunication Regulator of Cambodia (TRC) can monitor the infrastructure, connections, and equipment of the National Internet Gateway (NIG). NIG refers to the gateway through which all Internet services must be connected, both nationally and internationally (Annex 1). NIG operators shall:
- Prepare and maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG;
- Compile and maintain reports and relevant documents concerning the connections and all Internet traffic;
- Provide other information as required by the MPTC and TRC.
It is reported that, although the law is in force, it has not yet been implemented in practice.

The E-commerce Law establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 24 of the law, internet intermediaries are not liable for unlawful third-party content on their online platforms. However, they must comply with mandatory content-removal procedures upon becoming aware of such content (Art. 25). Additionally, pursuant to Art. 27, intermediaries are obligated to comply with an e-commerce code of conduct.

The E-commerce Law establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 24 of the law, internet intermediaries are not liable for unlawful third-party content on their online platforms. However, they must comply with mandatory content-removal procedures upon becoming aware of such content (Art. 25). Additionally, pursuant to Art. 27, intermediaries are obligated to comply with an e-commerce code of conduct.

It is reported that Cambodia requires identity verification for SIM card registration. Individuals seeking to purchase a SIM card must present a national identity card or, for foreign nationals, a passport to activate a new prepaid SIM. This requirement has reportedly existed since 2012, although its implementation remained incomplete for several years.
In August 2022, the authorities issued a final warning directing all telecommunications operators to ensure full SIM registration by 2023. This framework was subsequently formalised through Sub-Decree No. 41 on Equipment Identity Registration, issued in February 2023, which established a SIM identification registration system and a national database to support regulatory compliance.

Clause 7 of the Inter-ministerial Prakas No. 170 requires all Internet Service Providers (ISPs) operating in Cambodia to install software programs and equip themselves with Internet surveillance tools to easily filter and block any social media accounts or pages that run their business activities and/or publicise illegal activities. In addition, Clause 6 establishes that the Ministry of Information should manage information published through electronic systems, including all news content, written messages, audio, photos, videos, and/or other means, on websites and social media using the internet in the Kingdom of Cambodia.

According to Section 7 of Inter-ministerial Prakas No. 170, the Ministry of Posts and Telecommunications (MPTC) may block or close websites and social media pages that disseminate content deemed illegal, including that which incites unrest or threatens national security, public interest, or social order. However, these grounds are not clearly defined. Similarly, Art. 7 of the Law on Telecommunications authorises the MPTC or other ministries to instruct telecom operators to take unspecified necessary measures in cases of "force majeure", without defining such circumstances or actions. Both provisions have been criticised for their broad scope and potential for misuse, including the restriction of internet-based services.
Moreover, news and other websites have reportedly been blocked by the Cambodian government. In April 2020, two websites owned by TVFB were reportedly blocked by the Cambodian Telecommunication Regulator (TRC) and remain inactive. In February 2023, the TRC instructed internet service providers to block access to VOD’s news sites in both English and Khmer, following the revocation of its parent organisation’s licence. In the lead-up to the July 2023 general election, access to independent outlets such as Radio Free Asia (RFA), the Cambodia Daily, and Kamnotra was also blocked, with restrictions remaining in place until the end of 2024.

Art. 27.2 of the Law on Consumer Protection mandates that any advertising must be in Khmer. Furthermore, Art. 9 of Sub-Decree No. 232 requires all commercial advertising of products and services, by any channel, to use Khmer as the primary language. If foreign-language text is used in advertisements, it must comply with the Sub-Decree rules on placement and font size to ensure the Khmer text retains its prominence. It is reported that the Khmer language requirement can be an onerous obligation for some businesses.