A technology company operating in Colombia without a current compliance review faces a specific legal risk. Colombia's digital services regulation has moved from policy discussion into enforceable rules. Regulators are actively examining the obligations of domestic and foreign technology providers. Companies that delay their review face administrative sanctions and potential suspension of service authorisations.
Colombia has introduced new digital services requirements under its technology legislation, imposing registration, transparency, and algorithmic accountability obligations on companies providing digital platforms and software services to Colombian users. The rules apply to both locally incorporated entities and foreign providers with a discernible presence in the Colombian market. The primary compliance deadline requires affected companies to complete registration and internal policy alignment within the timeframe set by the Ministerio de Tecnologías de la Información y las Comunicaciones (Ministry of Information and Communications Technology, or MinTIC).
This alert covers which business categories are affected, the threshold criteria that determine whether your company falls within scope, and the immediate actions required to achieve compliance.
What has changed and when it takes effect
Colombia's regulatory authorities have extended the reach of technology legislation to cover a broader set of digital services. The change builds on existing telecommunications and data protection rules. It introduces distinct obligations for digital services, separating them from general software liability and commercial legislation.
The core change is threefold. First, providers of digital platforms and intermediary services must register with MinTIC and maintain an updated record of their service offering. Second, companies using algorithmic systems that affect user access, content ranking, or pricing must disclose the logic behind those systems. This is the algorithmic accountability component. Third, technology licensing arrangements between foreign entities and Colombian users now require a local-language terms document that meets minimum statutory standards.
The rules entered into force following publication in the Diario Oficial (Official Gazette of Colombia). A transitional period applies to companies not previously registered. That transitional window is short – the effective date for full compliance obligations falls within the current calendar year. Companies that were already providing digital services before the regulatory change have a reduced grace period compared to new market entrants.
The consequence of missing the deadline is not merely administrative. Under Colombia's commercial legislation and technology law, continued operation without registration constitutes an ongoing infraction. Fines accrue per day of non-compliance. Regulators may also order the suspension of services delivered to Colombian users, which for a digital business can mean immediate revenue loss.
Which companies are affected and what thresholds apply
The regulation applies to a defined set of business categories. Not every technology company providing services to Colombian users falls automatically within scope. The threshold criteria matter.
The following categories are within scope:
- Online intermediary platforms connecting buyers and sellers of goods or services
- App stores and software distribution platforms accessible to Colombian users
- Search engines and content aggregation services with Colombian-facing interfaces
- Cloud-based software-as-a-service providers with Colombian corporate or individual subscribers
- Companies deploying algorithmic recommendation or automated decision systems affecting Colombian users
The threshold criteria include user volume and commercial activity. A company crosses into mandatory scope when it meets any of the following: it serves a significant number of active Colombian users per month. It generates revenue from Colombian users or Colombian-based clients. Alternatively, it operates a technology licensing arrangement under which Colombian entities access software or platforms. Foreign companies are within scope if their services are directed at Colombia – assessed by factors such as the use of Spanish-language interfaces, Colombian payment methods, or local-currency pricing.
Smaller operators – individual developers and micro-enterprises – may fall under a simplified registration track. However, the algorithmic accountability and software liability disclosure obligations still apply to any operator whose system makes automated decisions affecting individual users, regardless of company size.
International companies already subject to AI Act compliance obligations in the EU should note that Colombia's rules are structurally distinct. Colombian digital services regulation does not replicate the EU's risk-tiered model. It imposes transparency obligations across a wider category of algorithmic systems, without the formal risk classification that applies under European technology legislation. For companies managing obligations across both regimes, this creates a dual-track compliance burden that requires careful coordination. Our AI and technology law practice in Colombia assists companies in mapping these parallel requirements and building a single compliance architecture.
To receive an expert assessment of your company's exposure under Colombia's digital services regulation, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Companies within scope should treat the following steps as urgent. The compliance timeline does not accommodate sequential planning over several months.
Step 1 – Confirm scope and threshold status. Conduct an internal audit of Colombian user numbers, revenue from Colombian sources, and any existing technology licensing arrangements with Colombian counterparties. Determine whether the simplified track or the full registration track applies.
Step 2 – Register with MinTIC. The registration process requires submission of corporate documentation, a description of the digital services provided, and identification of the responsible legal representative in Colombia. Foreign companies without a Colombian subsidiary must appoint a local legal representative for this purpose. Registration without a correctly appointed representative is rejected as procedurally defective.
Step 3 – Audit algorithmic systems for disclosure compliance. Any algorithmic system used for content ranking, pricing, or access decisions must be documented to a standard that allows the regulator to assess its logic. This does not require full source code disclosure, but it does require a plain-language explanation of the system's principal parameters. Companies with proprietary algorithmic systems should review software liability exposure at the same time.
Step 4 – Review and update technology licensing documentation. Existing terms of service and technology licensing agreements must be reviewed against the new minimum content requirements. Agreements that lack the required clauses must be updated before the compliance deadline. This step is frequently underestimated by international companies accustomed to deploying a single global terms document.
Step 5 – Align intellectual property and data protection documentation. The new rules interact with Colombia's data protection legislation. Companies that process personal data as part of their digital services must verify that their data processing records, consent mechanisms, and cross-border transfer arrangements remain valid under the current regulatory regime. For guidance on the intellectual property dimensions of digital services compliance, including software ownership and licensing structuring, see our analysis of intellectual property law in Colombia.
Companies operating across multiple jurisdictions in the Americas should also monitor regulatory developments in other markets. A comparative overview of recent shifts in digital services regulation in North America is available in our alert on digital services regulation in the United States.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our AI and technology law practice supports technology companies, platforms, and institutional investors operating in Colombia and across Latin American markets. We advise on digital services registration, algorithmic accountability obligations, software liability exposure, and technology licensing compliance under Colombian law. As a law firm in Colombia-facing matters, we work with international entrepreneurs and in-house legal teams who need coordinated advice across civil law systems. Our attorneys have handled AI Act compliance mapping and cross-border technology regulation for clients managing obligations across European and Latin American regimes simultaneously. To discuss your company's compliance position under Colombia's new digital services rules, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.