CNIL 2025 Report, reading a regulator in transition
Data processors, AI, cross-regulation, misleading record figures: what the CNIL's 2025 annual report really says about regulation in 2026.

What the chair admits without quite writing it down
Marie-Laure Denis opens her annual report with a word that deserves to be taken seriously. A pivotal year. The term comes up twice within a few lines, which does not read like an offhand rhetorical flourish. The chair of the CNIL chooses her vocabulary with the caution of a former member of the Conseil d'Etat, and when she says pivotal, she is describing an institutional shift that she observes without entirely controlling.
The question is: pivotal between what and what. The report offers an answer in the negative, provided you read it as a transition document rather than an activity review. Several deep currents cross through it, none of them reducible to a headline, and that is precisely what makes the reading interesting.
Time as a tool
The first shift concerns the regulator's use of time. In the spring of 2025, the CNIL published its guidance on the security of large databases after a 2024 that had already broken every record for notified breaches. It stresses multi-factor authentication, logging, the monitoring of remote access, and the management of data processors. It then announces, plainly, that it has given players time to adapt and that inspections will be carried out throughout 2026.
Read quickly, that sentence looks like an administrative platitude. Read slowly, it is a doctrinal admission. The regulator builds into its method the fact that organizations will not move on the mere publication of a recommendation. It no longer expects spontaneous compliance. It calibrates its pressure over time.
The report contains enough to confirm that this doctrine is sound. Five years pass between the cookie guidelines, adopted in 2020, and the combined September 2025 penalties against Google and Shein, totaling 475 million euros. Five years during which the rules were known, documented, illustrated, and largely ignored by players who could not seriously plead ignorance. The restricted committee notes as much explicitly in its reasoning.
80 %of the large-scale breaches in 2024 relied on an account protected by nothing more than a passwordCNIL, restricted committeeEighty percent of the large-scale breaches recorded in 2024 were made possible by a user account protected by a password alone. Multi-factor authentication has existed for twenty years, its operational cost has collapsed, and its rollout is documented right down to consumer manuals. And yet the 2025 report shows that 17,802 breaches were notified during the year, a large share of them exploiting the exact vector the CNIL has been warning against for ten years. Knowing the risk was never enough to force the trade-off.
The data processor as a blind spot
The second shift concerns data processors, and this is where reading the report becomes uncomfortable for an informed observer. Two software vendors are compromised during the year. One serves wealth-management advisers, the other independent healthcare professionals. Each of these two incidents generates, in a cascade, several thousand breach notifications from client firms that discover they are the data controllers of a system they no longer really controlled. In all, 11,635 notifications for these two events alone. The CNIL has to strip these figures out of its annual report so that the general trend stays readable.
The chair states the finding with restraint. A significant share of incidents involves a data processor with failing security. The report adds that sector concentration makes the phenomenon worse, since a single vendor can serve hundreds or even thousands of organizations in the same sector.
The discomfort comes from the fact that this finding is not a discovery. ENISA, in its 2030 foresight exercise published in 2023, already ranked the compromise of the software supply chain as the leading emerging threat of the decade. The technical incident reports of 2020 and 2021, starting with SolarWinds, had made the mechanism visible to anyone following the subject. CISOs of large organizations had been discussing it in conferences for five years. The CNIL's 2025 report treats this risk as a phenomenon to be analyzed from now on, when it had been documented, modeled, and anticipated by the technical community for half a planning cycle. Five years behind the experts who had warned, translated into the figures of an annual report.
This time lag is not an individual failing of the institution. It is inherent to how a legal regulator operates, one that folds a risk into its doctrine only after it has materialized statistically in its own data flows. But it raises a practical question for data controllers. If the authority formalizes the risk only after five years of converging signals, a compliance audit based on the state of the law cannot be confused with a resilience audit based on the state of the threat. Organizations that settle for the first accumulate an operational debt whose cost they will pay during the incident, not during the inspection.
The admission of cross-regulation
The third shift is the one the chair names explicitly and that deserves to be taken at her word. She speaks of a new era, that of cross-regulation. The term is not neutral. It acknowledges that the CNIL is no longer the sole authority in its field, that it now shares its remit with the DGCCRF on the AI Act, with ARCEP on the DGA, with ARCOM on political advertising and the DSA, with the competition authority on cross-cutting digital-economy topics. This entanglement mechanically increases the coordination burden, which the chair concedes plainly: implementing these new missions involves greater consultation with many other regulators, through procedures that often remain to be built.
Procedures that remain to be built, in a context where the texts have already entered into force. That sentence is heavy. It says that the European legislator stacked up regulations faster than national authorities could organize how they fit together, and that regulated entities operate within a formal framework that is not yet workable in practice. The Helsinki summit of July 2025, where the EDPB adopts a statement aimed at simplifying GDPR compliance for small and medium-sized organizations, is in fact an admission of this tension. The complexity of European regulation has itself become a driver of non-compliance, and the authorities collectively acknowledge it.
Four jobs for one institution
The fourth shift concerns artificial intelligence, and the report devotes a great deal of space to it for a reason that is not only the AI Act's implementation timetable. The CNIL is set to be given, subject to parliamentary confirmation, four distinct roles in AI regulation. These four roles are not an extension of its missions, they are four different jobs. The first is the one it has performed for ten years, protecting personal data inside algorithms. The second consists of checking that no banned AI systems are in use, which requires technical expertise on what constitutes a prohibited system. The third is an alerting function on fundamental rights, which moves the CNIL closer to a quasi-constitutional authority. The fourth is market surveillance over a large part of high-risk AI systems, in areas as sensitive as biometrics, employment, migration, and law enforcement.
The chair acknowledges that this fourth role puts the institution in an operating mode it does not yet master. She talks about the challenge of adapting the way it works to this new job and of taking ownership of the AI Act from an operational angle. In other words, the authority is building its doctrine as it goes, and players deploying AI in 2026 will operate within a framework whose practical contours are stabilizing in real time.
The study conducted with the Ministry of Labour and the AFCDP, published in 2025, shows that sixty percent of DPOs say they are often involved in AI projects and express a strong need for support, both technical and legal. The figure does not only say that DPOs are working on AI. It says that the role designed in 2018 to embody GDPR compliance is shifting toward a multi-text orchestration it was never sized to carry. Many DPOs in post today lack the technical background to assess training pipelines, memorization issues, or architecture choices. The CNIL does not put it in these terms, but its own figures reveal it.
The record-figure gymnastics
The report announces total fines of 486,839,500 euros, a spectacular rise from the 55 million of 2024. The figure is featured in the key numbers, in communications, in the roundups picked up by the trade press. It is worth pausing on, because its structure tells a different story from the one it claims to tell.
Of these 486 million, 475 come from two decisions taken on the same day, 1 September 2025, against Google for 325 million and against Shein for 150 million. Both decisions bear on the same subject: non-compliance with cookie legislation. Take these two cases out and the total in fines handed down over the year drops to around 11 million euros, five times less than the previous year. The record is not a record of enforcement activity, it is a concentration effect on two targeted, long-investigated cases.
This does not call the legitimacy of the penalties into question. Google had already been penalized twice for comparable conduct, and Shein operated at a massive scale in full knowledge of the rules. The breach is documented and the penalty looks proportionate. But the gap between the media framing of the figure and the reality of enforcement practice deserves to be named.
Cookies are a second-tier subject in the hierarchy of risks. Non-consented advertising tracking harms privacy but it does not bring down a health system, does not leak the data of several million citizens, does not paralyze a public administration. The massive breaches that hit a telecoms operator, a sovereign ministry, a sports federation are of a completely different risk nature, and it is on these subjects that players' maturity remains weakest. The report implicitly acknowledges this when it devotes a whole chapter to the security of large databases.
Yet on those very subjects, the volume of fines stays modest. The simplified procedure hands down penalties capped at 20,000 euros per decision. Serious security failures, which demand a lengthy investigation and a fine technical demonstration, rarely end with exemplary amounts. The CNIL has the means to hit hard on legally clear subjects such as cookies, and it struggles to hit hard on operationally complex ones such as the failure of a data processor or the mapping of an intrusion.
The result produces an incentive asymmetry that has to be faced head-on. A rational economic player who reads these 486 million and wonders where to place its compliance priority will tend to invest in its cookie banner and its consent management platform before investing in its multi-factor authentication, its data-processor audits, or its remote-access monitoring. It is not that the cookie banner is pointless, it is that resource allocation is decided by signal, and the signal sent by the record figures is misleading about the real hierarchy of risks.
More missions, same resources
There remains the question of resources, which structures everything else without always being in the foreground. In 2025 the CNIL has a budget of 30.2 million euros and 303 staff, with six new posts during the year and zero planned for 2026. At the same time, its remit expands in every direction under the DSA, the DGA, the SREN law, the political-advertising regulation, and the AI Act. The deputy secretary general acknowledges that this twin trend, at a time when the budget context does not allow a proportionate increase in headcount, forces the CNIL to prioritize its activity better. Prioritizing better, in administrative language, means giving up certain inspections, certain responses, certain forms of support. The report does not say which ones, but the attentive reader can anticipate the move. Enforcement pressure will concentrate where the institution can set precedent and generate coverage, that is, on the major players, on the massive breaches, on the subjects that can ground an exemplary fine.
For the rest of the economic fabric, inspection remains statistically improbable. This does not mean the effort should slacken, but that the motivation to comply can no longer come solely from fear of the regulator. It has to take root in an understanding of operational resilience, which is another conversation, slower, harder to have with an executive committee.
Pivot
The CNIL's 2025 report is therefore not a homogeneous document. It layers an activity review, a diagnosis of institutional strain, and an implicit program of transformation. The chair speaks of a pivot. The word is apt, but you have to hear in pivot the dual dimension of a shift and of fragility. A hinge articulates, and it can also give way.
Several questions remain open after reading. How will the authority actually exercise its market-surveillance role without technical expertise sized for it. How will coordination between European regulators stabilize without adding still more to the burden on regulated entities. How will the DPO evolve into a role that now demands cross-disciplinary competence many do not have. How will organizations fold the data-processor cascade into a risk map that, for most of them, did not see it even three years ago. And how do you explain to an executive committee that the cookie banner is not the main issue, when the authority itself seems to say the opposite through its record figures.
The report answers none of these questions. It raises them, more or less explicitly, and leaves the players to sort them out. That is probably the clearest indication of the regulator's real position in 2026. It has stopped pretending to know everything, and it has started asking regulated entities to do the same.
Questions fréquentes
Why is the CNIL's record 2025 fine figure misleading?
Of the 486.8M euros announced, 475M euros come from two cookie decisions taken on the same day against Google (325M euros) and Shein (150M euros). Remove them and the year's total in fines drops to around 11M euros, five times less than in 2024.
What is the main blind spot identified in the report?
The failure of data processors. Two vendors compromised during the year triggered a cascade of 11,635 breach notifications, to the point where the CNIL had to remove them from its figures to keep the trend readable. Yet the risk had been documented by ENISA as early as 2023.
What is the "cross-regulation" the CNIL mentions?
It is the sharing of the CNIL's remit with other authorities (DGCCRF, ARCEP, ARCOM, the competition authority) on the new European texts. The chair concedes that the coordination procedures "remain to be built" even though the texts are already in force.
What new roles is the CNIL taking on regarding AI?
Subject to parliamentary confirmation, four distinct jobs: protecting personal data inside algorithms, checking against banned AI systems, issuing alerts on fundamental rights, and market surveillance of high-risk systems (biometrics, employment, migration, law enforcement).
Are the CNIL's resources keeping pace with its expanding remit?
No. In 2025 the CNIL has a budget of 30.2M euros and 303 staff, with zero new posts planned for 2026, while its remit expands under the DSA, the DGA, the SREN law and the AI Act. The authority must therefore "prioritize better."
Sources & méthodologie
- CNIL, 2025 Annual Report
- CNIL, Decisions of 1 September 2025 (Google, Shein), cookie legislation
- ENISA, Foresight 2030 Threat Landscape (2023)
- EDPB, Helsinki summit statement, July 2025
- CNIL / Ministry of Labour / AFCDP study on DPOs and AI (2025)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
