On 9 February 2026, the Commission Nationale de l’Informatique et des Libertés (CNIL) published its 2025 report on its enforcement action. Beyond the €487 million – in cumulative fines – largely driven (unsurprisingly) by two sanctions related to cookies, another trend deserves attention: the growing numbers of fines for failure to ensure the security of personal data and, more specifically, for personal data breaches.
A threat already identified – From awareness to action
As early as 2024, the CNIL warned of a 20% increase in breach notifications and a surge in large-scale data breaches. It noted that attackers regularly exploited the same vulnerabilities, which included compromise of login credentials and failure to detect intrusions, and also frequently involved processors.
Although the number of sanctions may still appear small relative to the number of data breach notifications (5,629 in 2024), four significant fines were announced within two months, targeting both controllers and processors:
- €1.7M against a software publisher in the social welfare sector (December 2025);
- €1M against a marketing processor of a streaming platform (December 2025);
- €5M against the French public body in charge of employment (January 2026); and
- €42M against a major ISP (January 2026).
What to expect in 2026
This focus is in line with the CNIL’s 2025–2028 strategic plan, in which cybersecurity features as one of the four priority areas. It is also reflected in the guidance issued on 30 April 2025 regarding how security measures should be strengthened. This emphasised rigorous identity and access management, real-time logging and analysis of network traffic, regular cybersecurity training for staff, and better oversight of security arrangements with processors and subprocessors.
More specifically, the CNIL now requires companies holding customer, prospect, and user databases comprising data relating to several million individuals to implement multi-factor authentication for their employees, partners, processors, and any other parties that can access the database remotely. It also encourages adherence to the recommendations already published by the CNIL and France’s National Agency for the Security of Information Systems (ANSSI).
Compliance with this requirement for multi-factor authentication will be subject to inspections by the CNIL from 2026 onwards. Failure to implement multi-factor authentication may lead to the commencement of enforcement proceedings.
To access the CNIL’s 2025 review: Sanctions and corrective measures: the CNIL presents its 2025 review | CNIL – to access the CNIL’s recommendations on multi-factor authentication: https://cnil.fr/fr/recommandation-mfa
