Reviewing IT contracts under czech law: Key risks and practical steps

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
15.4.2026 | ARROWS law firm

Reviewing IT contracts is one of the most critical—yet often overlooked—areas of commercial law. Many companies worry about technical software defects but overlook legal risks that can lead to unexpected penalties, project suspension, or litigation. This article introduces the legal protection mechanisms, common pitfalls, and practical steps to avoid complications in implementation and maintenance agreements under Czech law.

The photo shows an expert consulting on the review of IT contracts.

Key takeaways

  • An unreviewed IT contract often conceals undefined obligations, unclear liability for defects, and the risk of “vendor lock-in” with no ability to terminate the project without penalties.
  • The attorneys of ARROWS, a Prague-based law firm, emphasise that clauses on acceptance procedures, data responsibility, and dispute escalation in particular can have an existential impact on your business.
  • Missing or vague SLAs (Service Level Agreements) mean you have a very weak position during operations and cannot effectively enforce system availability.
  • Properly setting licensing rights to intellectual property, access to source code, and data migration options is decisive for your company’s long-term independence.

Why reviewing IT contracts is particularly risky

IT work contracts and service agreements are among the areas where legal and technical reality often collide. A developer or software supplier promises a functioning system—but what happens if the project is delayed by months? What rights do you have if the software does not match the agreed specification?

Attorneys at ARROWS, a Prague-based law firm, encounter cases where statutory bodies of companies signed a contract without a thorough legal review and later discovered serious shortcomings. These are often situations where the supplier reserved the right to unilaterally change functionalities or the price list without the client’s consent. When negotiating such unilateral-change mechanisms, it is often useful to align the contract with a broader governance setup for decision-making in the company or group, as described under Corporate & Holding services in the Czech Republic.

Another frequent problem is a contractual penalty for early termination that is disproportionately high and, in practice, prevents changing suppliers. Once the contract is signed, your negotiating position weakens dramatically and changes are difficult to push through. For IT contracts, it therefore makes sense to address change-control procedures, exit clauses, and penalties as part of contracts and negotiations.

Key legal risks in IT contracts

Unclear scope of work

Scope (the subject matter of performance) is the most important part of a contract, but also the most common source of disputes. If the technical annex does not precisely define what is included in the implementation and what already falls under paid development, conflicts arise.

A typical case often involves a situation where the contract states “implementation of an information system” but does not address migration of historical data or integration with third-party APIs, which subsequently leads to charging for additional work.

The attorneys of ARROWS, a Prague-based law firm, recommend structuring the contract by phases—analysis, design, development, testing, deployment, and stabilisation—while defining specific deliverables in each phase.

Missing or unenforceable SLA

An SLA is a legally binding service quality parameter that defines response times, incident resolution time, and guaranteed availability. Without a robust SLA, you have no practical way to enforce performance. If the supplier repeatedly falls into delay or fails to meet the SLA, it is often appropriate to assess the procedural strategy, including evidence and claims, which falls within the agenda of commercial and court disputes.

An effective SLA includes:

  • Response time : The time within which the supplier must acknowledge receipt of the incident.
  • Resolution time : The maximum time to remedy the defect or provide a workaround.
  • RTO and RPO : The maximum permissible downtime and the maximum permissible data loss.
  • Availability : The guaranteed percentage of time the system is running.
  • Penalties : Specific contractual penalties or service credits for failure to meet the parameters.
Responsibility for data and security

This is a legal boundary that the contracting parties must clearly define. A security incident has not only technical but also legal consequences under the GDPR and the Czech Cybersecurity Act. In practice, contractual allocation of incident-response duties and documentation is closely linked to GDPR compliance, which is covered in ARROWS’ Gdpr service. A practical framework for contractually setting the roles of controller and processor and minimising risks when involving third parties is also summarised in the update SaaS platform in the EU: Legal coverage of Terms and Conditions, GDPR and licensing arrangements for AI outputs.

A typical legal issue arises when the contract states that the supplier is not liable for data loss. Such a provision may conflict with mandatory provisions of the Czech Civil Code on compensation for damage. For management teams, it can also be relevant to understand when personal exposure may arise alongside corporate liability; see Who Is Really Liable in the Czech Republic When the Company Gets Fined: The Firm or the CEO?. You must have defined:

  • Security standards : An obligation to comply with specific standards.
  • Cooperation during an incident : The supplier’s obligation to report incidents without undue delay.
  • Backups and recovery : Rules for backups and recovery testing.
  • Insurance : The supplier’s obligation to maintain professional liability insurance.
Intellectual property and vendor lock-in

Who exercises the proprietary rights to the resulting code, design, and databases? Under the Czech Copyright Act, unless agreed otherwise, the author grants only a licence to use the work, not the right to interfere with it.

Imagine a situation where you want to modernise the system after years, but the original supplier no longer exists and you do not have access to the source code—putting you in the trap of so-called vendor lock-in.

ARROWS attorneys recommend negotiating the broadest possible licence with the right to make modifications and, for bespoke software, insisting on delivery of the source code or using a source code escrow arrangement.

The practical impacts of poorly set contractual relationships and the prevention of future disputes are also addressed in the update Dispute prevention in a holding structure: Setting contractual relationships between related companies.

Acceptance procedure

The moment of acceptance is legally crucial because it transfers the risk of damage and starts the warranty period. If the contract does not contain objective criteria, the supplier may claim the work is complete even if the system has defects.

The right approach includes:

  • Acceptance criteria : A list of conditions the system must meet.
  • Acceptance testing : The client’s right to carry out testing within a reasonable period.
  • Defect categorisation : Dividing defects into critical and minor.
  • Conditional payments : Tying the final portion of the price to the successful signing of the acceptance protocol.
Escalation and dispute resolution process

During implementation, disagreements may arise and, without a defined process, a dispute often escalates unnecessarily. A well-drafted contract includes tiers of resolution—from escalation to a steering committee, through mediation, and ultimately to court proceedings.

Attorneys from ARROWS, a Prague-based law firm, note that an effectively set escalation process often saves months of time and hundreds of thousands of Czech crowns in court fees.

Related questions on the legal risks of IT contracts

1. Do we need to include all of the above elements in an IT contract?
It depends on the complexity. With off-the-shelf software (SaaS), you often accept public terms and conditions, but for bespoke implementations or ERP systems, the absence of these elements is a gamble. ARROWS attorneys recommend tailoring the robustness of the contract to the value and risk profile of the project.

2. What if a provision in the contract is invalid?
Under the Czech Civil Code, preference is given to an interpretation that keeps the contract valid, and a so-called severability clause is typically used. However, if an essential requirement is missing—such as sufficiently defining the subject matter of the work—the contract may be considered void from the outset.

3. Who should have liability insurance?
The supplier should have professional liability insurance and ideally also cyber risk insurance. As the client, you should have your own cyber insurance for losses that cannot be recovered from the supplier.

Practical steps when reviewing an IT contract

Phase 1: Legal audit

Before you change anything, you need to identify the risks. ARROWS attorneys analyse the draft contract and flag critical areas that conflict with your interests or applicable legislation. An example could be an unacceptable clause limiting damages to a symbolic amount.

Phase 2: Negotiation and commenting

Suppliers often claim they use “standard corporate templates” that cannot be changed. ARROWS’ experience shows that every contract is negotiable, especially if you argue compliance with Czech legislation and symmetry of rights and obligations.

Phase 3: Finalisation and signing

Changes are incorporated through revisions or amendments. It is important to ensure that technical appendices do not conflict with the main legal part of the contract, which is a common mistake when compiling documentation.

Security and GDPR in IT contracts

Software implementation almost always involves access to personal data. If the supplier accesses the data of your clients or employees, it becomes a processor and requires entering into a Data Processing Agreement.

If the supplier accesses the personal data of your clients or employees, it becomes a processor under Article 28 GDPR and you must enter into a data processing agreement with it.

The contract should guarantee you the right to conduct a security audit of the supplier, which is also required by the NIS2 Directive as transposed into the Czech Cybersecurity Act.

The contractual deadline for the supplier to report a security incident must be shorter than 72 hours so that you, as the controller, can meet your statutory obligation towards the supervisory authority.

Possible issues

How ARROWS helps (office@arws.cz)

Unclear scope of work and disputes over additional work

ARROWS attorneys refine the definition of the scope of performance and link it to specific acceptance procedures.

Missing SLA or toothless penalties

We will set enforceable SLAs with clear metrics and incentive-based contractual penalties.

Risks related to GDPR and cybersecurity

We will prepare a Data Processing Agreement (DPA) and cybersecurity clauses in compliance with Czech law.

Vendor lock-in and copyright

We will ensure the licensing arrangements so that you retain control over further development of the system and the data.

Inefficient dispute resolution

We will set a tiered escalation process that minimises costs and time delays before any potential court proceedings.

Specific situations and key elements

Cloud vs. on-premise

For cloud (SaaS), key issues are availability, the location of data storage, and the exit management process—i.e., how you get your data back when the contract ends. In this case, the data is stored with the supplier, which requires specific safeguards.

For an on-premise solution, i.e., installation on your infrastructure, the scope of the licence (perpetual vs. time-limited) is decisive. It is also necessary to address the warranty for the work and maintenance, which includes the right to new versions and security patches.

Agile development vs. Waterfall

The Waterfall method is characterised by a fixed scope, price, and timeline, and legally it is usually handled as a contract for work with an emphasis on acceptance of the deliverable as a whole. It is suitable for clearly defined projects.

Agile development is legally more complex because it is often billed based on time spent. Here, it is necessary to contractually address the client’s right to change priorities, the definition of task completion, and a budget cap mechanism so that the project does not become disproportionately expensive.

Related questions on setting up security

1. Do we have to explicitly specify security standards?
Yes, referencing specific standards (e.g., ČSN ISO/IEC 27001) is legally much more certain than vague wording such as “the supplier will ensure adequate security”. For regulated entities under the Czech Cybersecurity Act, it is a necessity.

2. How should we handle SLAs for open-source software?
For the open-source code itself, you generally cannot claim warranties from the community. However, you enter into the contract and SLA with the integrator, who guarantees support and operation of that software and must be liable for that service.

3. Is insurance mandatory by law?
Cyber risk insurance is not generally mandatory by law, but in business practice it is standard to require it contractually. It covers the costs of forensic experts, legal representation, and potential compensation for damage to third parties.

How to proceed if problems arise during implementation

If you find that the contract is disadvantageous only during the project, try to negotiate an amendment to the contract. It is often possible to trade a concession in the schedule for stricter SLAs or the addition of a missing licence.

If the supplier fails to perform, defects must be formally notified in accordance with the contract and Czech law, because documentation is key for any potential court dispute. If the breach is material, the Czech Civil Code allows withdrawal from the contract, but this is a last resort that requires analysis.

The attorneys at ARROWS, a Prague-based law firm, can help you analyse the situation and choose a strategy that minimises damage.

Final summary

Reviewing an IT contract is a fundamental element of risk management that protects your technology investment from legal defects. These can ultimately be more costly than the software itself.

A typical risk of ignoring this includes signing a contract without review, subsequent vendor lock-in, inability to migrate data, and high costs of legal disputes if the supplier fails.

The attorneys at ARROWS, a Prague-based law firm, specialise in IT law and intellectual property. Our goal is not only legal correctness, but above all the commercial functionality and practical enforceability of the contract.

If you are planning an IT project or need to review existing contractual relationships, ARROWS, a Prague-based law firm, will help you set fair and secure terms. Contact us at office@arws.cz for a non-binding consultation.

Frequently asked questions 

1. How much does an IT contract review cost and how long does it take?
The price depends on the scope and complexity, and the review typically takes 5 to 10 business days. For a specific quote, contact office@arws.cz.

2. Is it better to terminate the contract and start over, or to fix it with an amendment?
If the project is ongoing and the relationship has not been irreparably damaged, it is more effective and cheaper to conclude an amendment that rectifies missing parameters. Terminating the contract carries the risk of disputes over the settlement of work already performed.

3. Can we modify the contract ourselves?
Lay interventions in contracts often lead to internal inconsistencies or the use of invalid provisions. We recommend a professional review to ensure consistency and legal certainty.

4. What are acceptance criteria?
These are objectively measurable conditions for accepting the deliverables, for example that the system processes a certain number of requests per hour. Without them, acceptance is subjective and difficult to enforce.

5. Does an SLA make sense with a small supplier?
Yes, even a small supplier must guarantee service quality because an SLA defines expectations. If a small company cannot guarantee extremely high availability, the SLA should reflect reality and set a fair price corresponding to that quality.

6. How should we handle a contract with a foreign supplier?
It is necessary to determine the governing law and the place for dispute resolution, and particular care must be taken with transfers of personal data outside the EU. The attorneys at ARROWS International have extensive experience with cross-border IT contracts.

Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation in the matter under the legal framework as of 2026. Although we take the utmost care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association, and for maximum client protection we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (office@arws.cz). We accept no liability for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: