Many companies doing business in Colombia do not face legal problems because they act in bad faith or because they want to break the law.
In many cases, risks appear because the company grows quickly, hires without reviewing properly, sells without clear contracts, handles personal data without internal policies, pays payroll incompletely, forgets to renew registrations, or leaves taxes until the last minute.
The biggest legal risks when doing business in Colombia are usually found in omission: not having internal policies, not updating regulations, not documenting decisions, not renewing procedures on time, or not reviewing whether the operation continues to comply with the applicable regulations.
The most dangerous legal risk is not always the most obvious one. Sometimes it is found in everyday situations: a poorly drafted contract, a worker classified as a contractor, a rejected electronic invoice, an outdated RUT, a database without proper handling, or an agreement between partners that was never clearly put in writing.
In this 2026 guide, we explain the main legal risks your company may have without knowing it and what you should review when doing business in Colombia to prevent penalties, conflicts, and unnecessary costs.
1. Labor risk: believing that every service agreement avoids an employment relationship
One of the most common risks when doing business in Colombia is treating people as contractors when, in practice, they operate as employees.
If a person has a fixed schedule, receives permanent instructions, provides the service continuously and personally, and is subordinated to the company, there may be a risk of an employment relationship, even if the signed document says “service agreement.”
This risk is especially important after the labor reform. The Ministry of Labor explained that Law 2466 of 2025 established the indefinite-term employment contract as the general rule and limited fixed-term contracts to a maximum of four years.
For companies, this means that having a contract is not enough. It is necessary to review how the relationship actually works.
Poor labor management can generate claims for salaries, social benefits, social security, compensation, surcharges, vacation, pending contributions, and penalties.
When doing business in Colombia, companies must understand that the legal classification of a worker does not depend only on the title of the contract. It depends on how the relationship is executed in practice.
What to review:
Employment contracts and service agreements.
The real duties of each person.
Schedules, subordination, and reports.
Payroll payments, benefits, and social security.
Internal policies and work regulations.
Terminations and settlements.
2. Social security risk: paying payroll, but not paying PILA correctly
Many companies believe the risk ends when they pay the salary. But in Colombia, payroll also includes contributions to health, pension, occupational risks, family compensation fund, and, when applicable, parafiscal contributions.
UGPP monitors the correct payment of contributions to the Social Protection System. In its 2026 employer guide, the entity explains risks such as omission, late payment, and inaccuracy in the affiliation or payment of contributions.
The problem may appear when the company:
Does not correctly affiliate a worker.
Reports a salary lower than the real one.
Does not pay full social security.
Does not report updates such as terminations, medical leave, or licenses.
Misclassifies the occupational risk.
Confuses salary and non-salary payments.
UGPP also offers official tools to calculate the Base Contribution Income and system contributions, including the 2026 minimum wage and contribution limits.
For companies doing business in Colombia, payroll compliance is not only an internal administrative matter. It can become a legal, financial, and regulatory risk if payments, contracts, and contributions are not consistent.
What to review:
Monthly PILA payments.
Base Contribution Income.
Reported updates.
ARL classification.
Payroll support documents and bank receipts.
Consistency between the contract, real salary, and contributions.
3. Tax risk: complying late or filing with incomplete information
Tax risk does not appear only when a company fails to file. It also appears when the company files late, invoices incorrectly, does not transmit electronic payroll, does not update the RUT, or does not review its monthly obligations.
DIAN publishes the official tax calendar with monthly deadlines for obligations such as income tax, VAT, withholding tax, foreign assets, and other national taxes. For 2026, DIAN maintains a calendar of deadlines and obligations that companies must review according to their type of taxpayer and NIT.
In addition, DIAN reminds taxpayers that the RUT must be updated within the month following the event that generates the change. This applies, for example, when there is a change in address, email, economic activity, tax responsibilities, or relevant company information.
An outdated RUT may seem like a minor detail, but it can generate inconsistencies, missed notifications, invoicing errors, and problems in tax procedures.
When doing business in Colombia, tax compliance should not be left until the deadline. It should be reviewed monthly through accounting, invoicing, banking records, payroll, withholding taxes, and supporting documents.
What to review:
Monthly tax calendar.
Updated RUT.
Electronic invoicing.
Electronic payroll.
Withholdings applied.
VAT, income tax, and ICA returns.
Support documents for costs, expenses, and deductions.
Reconciliation between accounting, banks, and invoicing.
4. Corporate risk: having a company created, but disorganized internally
Creating a company is only the first step. Keeping it organized is what truly reduces risks.
Many companies have problems because they do not update books, minutes, shareholding composition, powers of attorney, bylaw amendments, appointments, or registrations before the Chamber of Commerce.
The Bogotá Chamber of Commerce reminds companies that the commercial registration must be renewed and that the process can be done online. It also warns that companies that do not renew their registration for five years may be removed from the registry; legal entities may be dissolved and enter liquidation.
This risk usually appears when the company needs a loan, wants to sell assets, open a bank account, receive investment, contract with third parties, or prove who can sign.
If internal documents are not clear, any important decision can become slower or subject to dispute.
When doing business in Colombia, corporate documents are not just formalities. They are the legal evidence that shows who represents the company, who owns it, how decisions are made, and whether the company can legally enter into important transactions.
What to review:
Commercial registration.
Certificate of existence and legal representation.
Shareholders’ meeting or partners’ meeting minutes.
Appointments and powers of attorney.
Bylaw amendments.
Corporate books.
Agreements between partners.
Authorizations to sell assets or assume debts.
5. Beneficial ownership risk: forgetting the RUB
The Single Registry of Beneficial Owners, or RUB, is an obligation that many companies still underestimate.
DIAN explains that legal entities and certain structures must report information about their beneficial owners. In addition, they must review whether there were changes as of January 1, April 1, July 1, and October 1 of each year; if there are modifications, they must update the information within the following month.
This risk is important because it affects corporate transparency and can create problems when there are changes in partners, foreign structures, holding companies, investors, or indirect beneficiaries.
It is not enough to file the report once. The company must monitor whether ownership, control, or reported information has changed.
For companies doing business in Colombia, the RUB should be treated as a recurring compliance obligation, especially when there are changes in ownership, control, foreign shareholders, or corporate structures.
What to review:
Current beneficial owners.
Shareholding changes.
Foreign structures.
Direct or indirect control.
Initial RUB report.
Updates when changes occur.
Identification and participation support documents.
6. Contractual risk: selling, buying, or contracting without clear rules
One of the most silent legal risks for a company is found in its contracts.
Many companies operate with verbal agreements, quotes sent by WhatsApp, incomplete purchase orders, or contracts copied from the internet. This may seem sufficient while everything works well. But when a breach, return, late payment, early termination, or claim appears, the lack of clear rules can become costly.
In practice, a company is at a disadvantage when it does not define the conditions of its commercial relationship in writing. If the contract does not establish delivery times, warranties, returns, responsibilities, payment methods, penalties, or grounds for termination, it will be much more difficult to defend its position before a client, supplier, or consumer.
This is especially important in relationships with consumers, because the law recognizes special protection for them. For this reason, when the company does not properly document its conditions, it may be exposed to claims, unfavorable interpretations, or higher operating costs.
A good contract is not simply a long document. It is a tool to define responsibilities, payments, deliverables, deadlines, confidentiality, intellectual property, termination, penalties, and dispute resolution mechanisms.
This risk applies to relationships with clients, suppliers, contractors, partners, employees, landlords, distributors, commercial allies, and technology service providers.
Clear contracts are one of the most important tools for doing business in Colombia safely. They allow the company to reduce uncertainty, define responsibilities, and react better when a commercial relationship does not go as expected.
What to review:
Contracts with clients and suppliers.
Terms and conditions.
Payment policies.
Termination clauses.
Intellectual property.
Confidentiality.
Handling of breaches.
Liability for damages or delays.
Jurisdiction and dispute resolution.
7. Personal data risk: storing information without a real policy
If your company collects names, ID numbers, emails, phone numbers, addresses, resumes, employment histories, medical information, client data, or employee data, it is processing personal data.
The SIC has reminded companies that Law 1581 of 2012 requires the implementation of technical, human, and administrative measures to protect information and prevent its loss, alteration, consultation, use, or unauthorized access.
In addition, the National Database Registry is a public directory of databases containing personal information subject to processing in Colombia, in accordance with Law 1581 of 2012.
Not all companies are required to register databases before the RNBD, but all companies must review how they process personal data. The SIC has explained that companies and non-profit entities with total assets above 100,000 UVT, as well as public legal entities, are required to register their databases when they meet the requirements.
When doing business in Colombia, personal data protection should not be treated as an optional policy. Any company that collects information from clients, employees, suppliers, candidates, or users must review how it obtains, stores, uses, shares, and protects that information.
What to review:
Data processing policy.
Authorizations from data subjects.
Privacy notice.
Client, employee, and supplier databases.
Information security.
Data processors.
Data transfers or transmissions.
Procedure for inquiries and claims.
Obligation to register in the RNBD, if applicable.
8. Consumer risk: promising more than you can deliver
If your company sells products or services to consumers, it must carefully review its advertising, prices, warranties, promotions, delivery terms, and service channels.
The SIC monitors and controls the market to protect consumer rights and allows reports of conduct that may violate rules or affect those rights.
The same entity indicates that it may impose penalties on those who violate consumer protection rules, with the purpose of guaranteeing regulatory compliance and protecting the balance in consumer relationships.
The risk appears when a company:
Publishes incomplete prices.
Offers unclear promotions.
Does not honor warranties.
Does not deliver what was promised.
Uses misleading advertising.
Does not respond to claims.
Sells online without clear terms.
Does not inform relevant conditions of the product or service.
For companies doing business in Colombia, consumer protection rules are especially important when selling online, running promotions, publishing prices, offering warranties, or communicating product conditions through websites and social media.
What to review:
Website and social media.
Advertising and promotions.
Terms and conditions.
Exchange, warranty, and return policy.
Price information.
Service channels.
Responses to PQR.
Evidence of delivery of the product or service.
9. Business compliance risk: thinking SAGRILAFT and PTEE are only for large companies
Not all companies are required to have SAGRILAFT or its derivatives, or PTEE. But many must review whether they exceed thresholds, belong to supervised sectors, or are required due to their activity.
The Superintendence of Companies explains that SAGRILAFT seeks to identify, segment, qualify, and control risk factors related to money laundering, terrorism financing, and financing the proliferation of weapons of mass destruction.
The entity has also published sanctioning resolutions related to SAGRILAFT and PTEE, which shows that these obligations are not only theoretical.
For 2026, certain obligated parties must submit reports related to SAGRILAFT, the minimum measures regime, and PTEE according to the rules of the Superintendence of Companies.
This risk is especially relevant if the company handles international operations, cash, sensitive suppliers, public contracts, regulated sectors, large revenues, real estate operations, foreign trade, or complex corporate structures.
Companies doing business in Colombia should review whether SAGRILAFT, its derivatives, PTEE, or other compliance obligations apply to their operation before assuming that these rules are only for large companies.
What to review:
Whether the company is required to have SAGRILAFT or its derivatives.
Whether it must implement PTEE.
Due diligence of clients and suppliers.
Compliance officer, if applicable.
Risk matrices.
Mandatory reports.
Anti-corruption policies.
Third-party knowledge support documents.
Get started with a free case assessment
What will happen after you fill out this form?
After submitting the form, your case undergoes a comprehensive review by our team of specialist to assess its viability. Providing clear and concise information about your objectives accelerates this process.
Subsequently, a specialist will be assigned to your case, reaching out to you within a day to clear up details about your case and outline the next steps to help you achieve your goals.
Get started with a free case assessment
What will happen after you fill out this form?
After submitting the form, your case undergoes a comprehensive review by our team of specialist to assess its viability. Providing clear and concise information about your objectives accelerates this process.
Subsequently, a specialist will be assigned to your case, reaching out to you within a day to clear up details about your case and outline the next steps to help you achieve your goals.