Last review date: January 2026

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide data privacy and other data-related legislation applicable across all EU Member States, such as the EU GDPR and the EU AI Act.

• Data Protection Act n° 78-17 of 6 January 1978 as modified by Act n° 2018-493 and by Order n° 2018-1125 of 12 December 2018, modified by Law n° 2022-52 of 24 January 2022, Law No. 2024-449 of 21 May 2024, Law n°2025-391 of 30 April 2025, and Law n°2025-594 of 30 June 2025 (together "Data Protection Act")^[1]
• Law on Confidence in the Digital Economy, n° 2004-575 of 21 June 2004 ("LCEN")
• Decree n° 2005-1309 of 20 October 2005 as modified by Decree n° 2018-687 of 1 August 2018 and by Decree 2019-536 of 29 May 2019, available here
• Digital Republic Act n° 2016-1321 of 7 October 2016, as modified, available here
• Decree n°2018-1117 of 10 December 2018 on administrative documentation that may be available to the public without anonymization, available here
• Decree n°2019-536 of 29 May 2019 taken for the application of the Data Protection Act, available here
• Decree n°.2021-1362 of 20 October 2021 on the conservation and communication of data identifying any person who has contributed to the creation of online content, available here
• French Act No. 2022-52 of 24 January 2022 on criminal liability and internal security^[2][3], available here
• Law No. 2024-449 of 21 May 2024, which aims to secure and regulate the digital space ("SREN Law"), available here. The SREN Law covers multiple legal aspects, including privacy, cybersecurity, and those related to non-personal data. It modifies inter alia the Data Protection Act and the LCEN, transposes several provisions of the EU Digital Services Act, the EU Data Governance Act and the EU Data Act, (with several provisions coming into law retroactively on 17 February 2024 and for a temporary time until the entry into force of the EU Data Act). The French authority for telecommunications (ARCEP)'s recommendation on cloud-related provisions in the SREN Law can be found here.
• Law n°2025-391 of 30 April 2025 containing various provisions adapting to European Union law in the areas of economics, finance, the environment, energy, transport, health, and the movement of individuals "DDADUE Law" (available here). The DDADUE Law modifies and specifies rules on the representation of data subjects by not-for-profit bodies, organizations or associations before the French Data Protection authority (CNIL) and the judge.
• Law n°2025-594 of 30 June 2025 against all forms of fraud involving public funds (available here). This Law specifies the conditions under which information protected by professional secrecy must be disclosed to the French supervisory authority.

[1] Please note that following a decision by the French Constitutional Council, Article 22 of the Data Protection Act will be modified in 2026.

[2] This act modifies and broadens the geographical scope of application of the Data Protection Act. It applies to a data controller or processor not established in the European Union when the processing of personal data of individuals located on French territory is related to monitoring the behavior of these individuals within the European Union, in particular through the collection of their personal data for the purpose of linking it with data relating to their online activity.

[3] This act also introduced a new sanction mechanism through a new article 22-1 inserted into the existing Data Protection Act, to meet the increase in the number of complaints received by the French Data Protection Authority (CNIL). This provision modifies the powers of the Chairman of the "restricted panel" ("formation restreinte") for cases considered to be of minor concern. The Chairman will be able to rule alone and take three types of measures: (1) to order the production of the requested elements in case of failure to respond to a previous formal notice, (2) to impose a penalty payment of EUR 100 per day of delay, and (3) to impose an administrative fine of up to EUR 20,000.

Last review date: January 2026

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide cybersecurity and other data-related legislation applicable across all EU Member States, including the Cybersecurity Act, DORA, and the NIS 2 Directive.

• French Act No. 2018-133 of 26 February 2018 adapting the NIS Directive in the field of security, available here
• Decree No. 2018-384 of 23 May 2018 and Order of 13 June 2018, both taken for the application of the French Act No. 2018-133, available here and here
• French Act No. 2022-309 of 3 March 2022 for the introduction of cybersecurity certification of digital platforms for the general public, available here
• Decree No. 2022-513 of 8 April 2022 relating to the digital security of the information and communication system of the State and public entities, available here
• Prime Minister's guidelines No. 6282 of 5 July 2021, available here
• French cybersecurity framework for cloud ("SecNumCloud"), available here
• French orientation and programming law n°2023-22 of 24 January 2023 of the Ministry of Interior, introducing a new article in the code of insurance, available here
• The French law n° 2023-703 of 1 August 2023 on military programming for the years 2024 to 2030, gives new competences to the authority competent for cybersecurity (ANSSI) in the domain of information systems security, available here
• Order of 17 April 2023 setting out the security rules and reporting procedures for vitally important information systems and security incidents relating to the vitally important sub-sector of "healthcare establishments" and issued pursuant to articles R. 1332-41-1, R. 1332-41-2 and R. 1332-41-10 of the French Defense Code, available here
• Order of 26 April 2024 setting out the new framework of health data hosting ("HDH") under Article L. 1111-8 of the French Code of Public Health has been restructured (available here)
• Draft law of 15 October 2024 on critical infrastructure resilience and enhancing cybersecurity, aimed at transposing the EU NIS 2 Directive, available here.
• Draft law of November 2025 containing various provisions adapting to European Union law in the areas of economics, finance, the environment, energy, information, transportation, health, agriculture, and fisheries, available here. This aims to modify the LCEN and SREN with cybersecurity-related provisions, transposing the EU AI Act and the Data Act into French law.

Last review date: January 2026

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide legislation related to non-personal data, also applicable in all EU Member States, such as the Regulation on the free flow of non-personal data, the Data Governance Act, the Data Act, etc.

France enacted Law n° 2023-451 (available here), which regulates the commercial activity of influencers on social networks. An "influencer" is a person (individual or legal entity) who uses their reputation among their audience to communicate content to the public by electronic means to promote, directly or indirectly, goods, services or any cause whatsoever, with compensation. This law creates notable new obligations and sanctions for influencers and other stakeholders, including service providers and platforms.

SREN Law (available here): Under the SREN Law, the CNIL is designated as the competent authority for matters relating to "data altruism." It has been granted new monitoring and investigative powers, including the power to seize documents under judicial supervision and to record interview responses. The CNIL may also impose corrective measures, such as fines, similar to those under the Data Protection Act.