🇫🇷Digital Operational Resilience Act in France
A comprehensive guide to Digital Operational Resilience Act compliance for organisations operating in France. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About Digital Operational Resilience Act
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Digital Operational Resilience Act Enforcement in France
France's CNIL is one of the most active and influential data protection authorities in Europe, with a long history predating the GDPR — established in 1978. The CNIL has been particularly aggressive in enforcing cookie consent rules under the ePrivacy Directive, issuing landmark fines against Google and Facebook for making cookie rejection more difficult than acceptance. The French Data Protection Act (Loi Informatique et Libertés) supplements the GDPR with specific provisions on health data processing, research, and age of consent for minors (set at 15). CNIL publishes detailed guidance, sector-specific recommendations, and conducts thematic audits focusing on ad tech, health data, and emerging technologies.
Data Protection Authority
Commission Nationale de l'Informatique et des Libertés (CNIL)
Key Enforcement Focus Areas in France
- Cookie consent enforcement (strict CNIL guidelines)
- Health data and research processing frameworks
- Ad tech and behavioural advertising compliance
- AI systems and algorithmic transparency
- Children's data protection (age of consent: 15)
Notable Enforcement Actions in France
Google LLC
Making cookie rejection more complex than acceptance on google.fr and youtube.com
Facebook Ireland (Meta)
No simple mechanism to refuse cookies on facebook.com; requiring multiple clicks to reject
Criteo SA
Processing personal data for advertising without valid consent and insufficient information to users
Google LLC
Lack of transparency, inadequate information, and lack of valid consent regarding ad personalisation
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting France
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".